90 days is way too much time. The issue should be public the moment you find it if you want to responsibly disclose it. It's irresponsible to put people in risk longer than they have to. >but what if the developer doesn't have a fix ready Who cares? Just tell people to stop using the product. >but then companies will lose users Then don't make vulnerable software. It should be illegal to release software with major vulnerabilities. Maybe if these companies were punished hard enough they would actually invest into making secure software. The fact that vulnerabilities happen on a constant basis makes computer engineering a joke of the engineering professions.
90 Days
>but what if the developer doesn't have a fix ready
Who cares? Just tell people to stop using the product.
>but then companies will lose users
Then don't make vulnerable software. It should be illegal to release software with major vulnerabilities. Maybe if these companies were punished hard enough they would actually invest into making secure software. The fact that vulnerabilities happen on a constant basis makes computer engineering a joke of the engineering professions.