Microsoft is slow to patch a vulnerability and Google lets us know.

Microsoft was notified over 90 days ago about a vulnerability that would allow a user with local credentials to elevate their rights to that of admin.  Google’s Project Zero policy is to give 90 day for the vendor to fix the issue then disclose it to the public.  Wether fixed or not.

I approve of this practice.  90 days is ample time for a fix.  The more time a system is vulnerable the more likely someone will exploit it.

So what do you think?  Should Google continue the practice of disclosure after 90 days or just wait until the vendor fixes it regardless of how long that takes?