Comment by tptacek
2 days ago
They can publish it whenever they want. There's no actual rules about this stuff. The 90 window is a courtesy.
2 days ago
They can publish it whenever they want. There's no actual rules about this stuff. The 90 window is a courtesy.
Specifically, there are responsible disclosure guidelines that came about to deal with the problem of people dropping 0day on a vendor with no prior warning. So the 90 days is a commonly-accepted amount of time to give a vendor to produce a fix. If the vendor needs more time they can request that the submitter give them an extension, although in this case it appears the vendor never responded, thus the repeated entries in the timeline saying "tried to contact vendor, no response" to show they tried to do the right thing.
No there aren't. "Responsible disclosure" is an Orwellian term invented by vendors to create the idea that publishing independent research without vendor permission is "irresponsible". It is absolutely not the case that researchers owe anybody 90 days, or are obligated to honor requests for extensions. Project Zero, which invented the 90-day-plus-extension system, does that as a courtesy.