Yeah, that holier than thou attitude of Google's stinks: "Look! We're doing your job for you because the public has a right to know."

Frankly, I reckon the public has a right to know what goes on behind closed doors at Google... what it stores on its masses of data banks and servers about anyone and everyone... about what they've done, where they've been and why.  Thing is, Google is probably the most secretive company on the planet, with employees required to sign non-disclosure and privacy agreements that surpass even covert gov't departments, so if a whole load of shit is going on inside Google, nothing is coming out of there unless Google wants us to know... which isn't likely.

90 Days?  As long as it was submitted properly that is more than generous.  A good explanation of the practice is given here:

https://googleprojectzero.blogspot.com/2015/02/feedback-and-data-driven-updates-to.html

They, for various reasons, don't always follow this though, as seen in the recent https://en.wikipedia.org/wiki/Cloudbleed issue.

Generous for whom? MS? Maybe...but if they don't fix it, just who's is vulnerable?

They're notifying the hackers, among others when they go public with vulnerabilities.

Them going public helps you and me just how? 

100% Agreed.   It is today's culture of (as you already put it) 'oneupmanship' rearing it's ugly head here again.  Nothing more, or less.

It has always been a "Keep up with the Joneses" type thing. Sad part is if one person does something worthwhile there will be those who oppose it because they didn't think of it first.

I call that cheating because they did it before I did. 

Unfortunately the reality is, if a "White hat" has found it, it's very likely a "Black hat" has already or will soon find it as well, which is a big reason why a time limit on the notification is important, to force action, and allow the public to take precautions.

Or to quote the article I linked: "Deadlines also acknowledge an uncomfortable fact that is alluded to by some of the above policies: the offensive security community invests considerably more into vulnerability research than the defensive community. Therefore, when we find a vulnerability in a high profile target, it is often already known by advanced and stealthy actors."

Do you disagree?

well... you could argue the blackhats who knew about it and keeping quiet are more likely to be state affiliated and selective against their targets. compared to kits built using disclosure info being available to everyone and dog who whacks everyone and dog. obviously it's not a hard and fast rule...

WHo are you addressing your question to? the_Monk? Me?

If it's to me, I would have to answer that I have no way of knowing, and neither does Google, until malware exploiting that specific breach starts appearing. I've not read of it yet, have you? So, maybe their logic is flawed? 

As flawed as making vulnerabilities public to people who can't fix them, and are potentially harmed by (not theoretically but ACTUALLY harmed - us) and to those who can exploit them (the blackhats).

Yeah I quoted your text so was directing the question your way, I've never encountered someone strongly opposed to the concept of responsible disclosure so was interested in that point of view.  I think we'll have to agree to disagree.  I  do think that your and alaknebs' point regarding exposing it to the world makes it much easier for amateurs to exploit it is valid, but in my opinion that does not outweigh the benefit of eventually disclosing the exploit to the general public so that we can take measures to safeguard ourselves. 

unless there's no measure that you can take.. aside from pulling the plug. i don't think anyone is opposed to disclosure. the tricky thing is the amount of time a company is given to fix an issue. how do you know if a company is dragging its feet or having difficulties?

That depends entirely on ones definition of responsible disclosure which is exactly the point here.  I and others in this thread view google's actions as less than 'responsible' and more self-serving in nature than anything else really.

Assuming the average joe even knows what 'take measures to safeguard ourselves' means; here we once again have a case of locking the barn door AFTER the horse has escaped mentality being peddled as justification for 'responsible disclosure' (which as previously stated is most often not responsible at all). 

The better 'responsible action' would be, GOOGLE and any other self-serving entity with the power to spread information to spread more knowledge on topics I have beaten to death in many a thread here (ie. LEAST PRIVILEGE etc. etc.) and how the average user can use that information for safer computing.  That would actually help prevent 'exploits' such as this even begin taking hold.  Unfortunately those with the power to disseminate information quickly are more focused on 'ambulance chasing' than actually helping anyone for it to make a difference anyway. 

I've been using Seamonkey (Mozilla / Netscape Communicator fork) for about a year now without incident. IE / Edge should only be used to go download a real browser. I am personally boycotting Google for their invasive tracking.