Google and its policies may more or less like us. But if there is something that I think was more than objectionable, it was his Project Zero, a team that investigates all kinds of software to find security flaws. The problem with this project was not that it investigated, but that it put pressure on companies to fix the bugs by publishing them almost immediately. But if you have noticed, we are talking in the past tense.
Google posted what your new policy will be like. Until now, the company of the great seeker, let me use the expression, did "whatever they wanted", which used to translate into finding a fault (ahem, from a rival company, not like some like is that they do shut up), they communicated it to the interested party and published all the data in a matter of hours or days. From now on they will give three months, or 90 days to be more exact, so developers have time to repair the problem. After that period of time, they will publish all the details.
Project Zero be relax
Only in the event that both companies (Google and the software developer) reach an agreement, the details will be published before the mentioned 90 days. If there is no agreement, it does not matter if the failure is solved in 1, 20 or 90 days; Google will post details after three months.
Project Zero says that some developers have contacted them to ask for even more time, because three months may not be enough, but Google thinks it is not necessary. In addition, the rush will motivate them to fix the bugs found, which will also mean that these security problems are corrected before finding the next one.
Personally, I think this is good news for everyone. It was a very ugly gesture to find a bug and publish it so soon, since the only or most affected were the users who we were starting to use software with at least one public vulnerability. The change will be made in the year we just entered.