Comment by mjevans

I can see longer than 90 days if there's some HUGE change required, and a decent sized team is allocated to the problem for most of their work time. OR if there's a solution but it needs to progress on a specific (and relatively short) timeline for customer notification.

However that additional leeway should be afforded by the researcher and/or their lawyers / representatives. It's something a company might ask for in good faith in response to a larger than usual issue.