Precisely the point OP is saying. The rules for project zero are different not that project zero is applying it differently.

Thsts not problem It is not that project zero is strict,

The researcher here allowed 9 months for them to fix. Should he have disclosed after 90 days ? Clearly google didn't use the time to fix.

It looks bad when you have a hard policy to disclose but not to fix

> The researcher here allowed 9 months for them to fix.

The researcher is basically allowed to do whatever they want here. They can wait 0 days and just post to the full-disclosure mailing list. Or they could never disclose it.

Personally, I've done both. I took DJB's "Unix Security Holes" class, where we had to find 10 vulnerabilities in OSS as the class's final project. All of those got 0-day disclosed because that is how DJB rolls. I've also independently found bugs, and I was satisfied by the resolution from emailing security@ that company.

Well it is easier when your income doesn't depend on the bug bointies. Some companies won't pay if you disclose without their consent.

Same as any job really if I don't care whether I get paid , I can work under different rules.

He could have if he wanted to. He could have disclosed immediately if he wanted to.

Google does not have a hard policy to disclose. GPZ does. Vulns in external products found through other groups within Google do not share all the same processes as GPZ.

GPZ is not some independent entity google just funds, they are as much part of Google as any other team.

If you want to be that precise, it is bad look for part of your organization to have hard policy that you expect external companies to follow, while parts of your organization itself cannot do the same.

I am not saying Project Zero is wrong, clearly giving more time did not prod Google to actually fix timely, he certainly was being too polite and gave too much time, I don't know why, perhaps companies don't pay bounties if you disclose without their consent [2] ?

All I am just saying Google as a company should hold itself to the same hard standard and fix issues in 90 days this is what Google Project Zero as a team expects other companies[1] to do so, they will even reject requests for extensions.

As a company if they can't do it, they shouldn't expect others to do it either right? Or they should disclose reported vulnerabilities even if not fixed in 90 days.

[1] Maybe they do it for internal teams as well, but that not relevant to us, all we should be concerned is how they behave externally with disclosing and solving issues.

[2] Perhaps part of the reason GPZ is able to do this hard policy is because they don't depend on bug bounties as source of income as independent researchers do.