15/09/24 - Report sent to vendor
...
29/01/25 - Vendor requests extension for disclosure to 12/02/2025
09/02/25 - Confirm to vendor that both parts of the exploit have been fixed (T+147 days since disclosure)
12/02/25 - Report disclosed
So that is 136 days not fixed(?) and Google asks for extension.
Then 147 days to fix and 150 days to public disclosure.
Compare this to Google Project Zero which gives other companies the following time to fix before disclosure...
>"This bug is subject to a 90 day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline."
>If the patch is expected to arrive within 14 days of the deadline expiring, then Project Zero may offer an extension...Note however, that the 14-day grace period overlaps with the 30-day patch uptake window, such that any vulnerability fixed within the grace period will still be publicly disclosed on day 120 at the latest (30 days after the original 90-day deadline).
>If we don't think a fix will be ready within 14 days, then we will use the original 90-day deadline as the time of disclosure. That means we grant a 14-day grace extension only when there's a commitment by the developer to ship a fix within the 14-day grace period.
Compare this to Google Project Zero which gives other companies the following time to fix before disclosure...
>"This bug is subject to a 90 day disclosure deadline. If a fix for this issue is made available to users before the end of the 90-day deadline, this bug report will become public 30 days after the fix was made available. Otherwise, this bug report will become public at the deadline."
>If the patch is expected to arrive within 14 days of the deadline expiring, then Project Zero may offer an extension...Note however, that the 14-day grace period overlaps with the 30-day patch uptake window, such that any vulnerability fixed within the grace period will still be publicly disclosed on day 120 at the latest (30 days after the original 90-day deadline).
>If we don't think a fix will be ready within 14 days, then we will use the original 90-day deadline as the time of disclosure. That means we grant a 14-day grace extension only when there's a commitment by the developer to ship a fix within the 14-day grace period.
https://googleprojectzero.blogspot.com/p/vulnerability-discl...