There are plenty of fruitful conversations to be had WRT the concept of responsible disclosure, but a fundamental pillar is that vendors are held to some deadline so that they cannot hem and haw indefinitely while leaving their users vulnerable. It's certainly a valid argument to posit that 90 days may be too short of a deadline, but a valid counterargument is that if a company like Apple cannot ship a security patch within 90 days, then their process itself is broken.
Nit to pick. Prefer the term coordinated disclosure. Responsible disclosure puts things on an unnecessary moral dimension. It’s not irresponsible to disclose bugs ever, IMO. I have seen this debate a million times now, but I know it is new for someone.
Notice that Intel used the term "coordinated disclosure" for last week's new raft of microarchitecture bugs; "responsible disclosure" is on the way out for exactly the reason you stated.
Thanks for the tip, I didn't know there existed a better term for this. Indeed, I always felt that "responsible" was a loaded adjective in that context.
