Especially since Google gives a fairly strict 90 day disclosure deadline themselves.

https://www.google.com/about/appsecurity/

Yeah I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here. Sure, Google patched the bug very quickly after disclosure. But given that Google waited so long, it sure looks like they only prioritized the fix once disclosure was a risk. If anything, I think that the author should have scheduled disclosure sooner.

> I do not understand why the author waited so long to disclose and also feels that Google deserves a "stellar job" here.

Because people are afraid of megacorps. They've found the courage to disclose the issue, but they've also felt that the blow needs to be softened by praising Google's security team, despite their negligence in handling this issue.

> I think that the author should have scheduled disclosure sooner.

Yup. Ninety days is fine. More people should choose ninety days up front and not allow themselves to be strung along indefinitely.

Project Zero actually has granted two exceptions to their policy (out of well over a thousand cases), both to rival companies (Apple and Microsoft). On the whole I would say you should resist doing this, just set the policy and reap the consequences whatever they might be. If somebody's $100Bn company burns to the ground because they couldn't get their shit together for three whole months too bad.

It's not you that hurt the users, it's the company for not being able to competently route, schedule, and fix their issue.

The reporter is only to blame if they actively exploit the vulnerability in order to harm users, not if they publish it publicly, with or without advanced notice to the company.

Or the bug fix can be hard to implement, test, and release in 3 months. I’m not saying it’s the majority of bugs but these could qualify

Should Google Project Zero also switch to 7 days?

No, it should switch to 0 days, that will fit with their name too.

I was thinking about how I would handle it, were I in the same situation and I think I came upon a decent idea.

1) 90-day disclosure initially 2) assuming communication, I would agree to extend for another 30 days 3) 15 days more 4) 7 days more 5) 3 days more 6) 1 day more 7) 12 hours 8) 6 hours 9) 3 hours 10) 1 hour 11) publish

More work for me, sure, but it doesn't drag out things indefinitely and i think it would have (at the later stages) created a sense of immediacy to get this fixed.

> Yeah I do not understand why the author waited so long to disclose

The author might have a Google account which, if cancelled, would disrupt their life considerably.

I have been on both sides of this situation. Running bug bounty programs, and submitting vulnerabilities to Google both before and after I worked there.

Often a researcher will find a bug, report it, and then weeks or months later reply with a follow up that dramatically changes the scope or severity.

Based on all of my interactions with the Google VRP program, I consider it much more likely the researcher isn't giving the whole story about the timeline. They are super responsive, take shit seriously, and push teams to get patches out.

Just a guess: There are some large existing customer depending on the current behaviour, and they were reluctant to make the email sending fail by patching it.