Yes. 90-day windows are for us, not for companies/projects/teams. They are an acknowledgement that the producer of the software is best suited to patch and get that update to users. If they aren't suited for the task notifying users that they are at risk is the right thing to do.
1. Tell the company, maybe it takes another week to get it fully fixed
2. Tell users, most of whom will never hear about it, while hackers will
The first still seems better. As long as Google isn't pulling the extension and uninstalling it from all chrome users, it seems like disclosure is only hurting most users.
That is a perfectly respectable and intellectually coherent rationale for not disclosing bugs you find prior to the availability of their patches.
However, on the off chance that you are somehow (despite it being 2015) new to the Great Disclosure Debate, you should be aware that there are other respectable and intellectually coherent rationales for other disclosure schedules, and that you are vanishingly unlikely to be the Internet Message Board Commenter That The Prophets Foretold Would Resolve The Disclosure Debate.
So while it's one thing to use this incident to give voice to your own reasoning about how disclosure should be handled, it's another thing entirely to moralize about it --- in this case, repetitively --- with a tone suggesting that the debate has somehow been settled, and you've somehow found out about that before the rest of us.
Your opinions about vulnerability research also get a lot more interesting if you can tell us about your own VR/xdev experience. Because, like it or not, and I know from your comments thus far that you do not like this, if Tavis Ormandy said "new rule: you can disclose 15 seconds after discovery, patch or no patch, so long as you yourself are wearing a pirate eye patch with a large googly eye glued to it", a pretty big swath of the security research community would accept that as The New Rule.
I think that this violates Google's stated policy, or at least would like an explanation of why it doesn't. I think that publicizing against your own policy may be worse than publicizing independently.
Is your only problem my tone? And do you think the point about Google's policy is entirely moot, and if so, why?
Re disclosure debate: In this specific instance it seems like it either would have been fixed relatively soon with an audit, or it would not have been fixed and Google would need to remove it from their store. Given that the person making the choice to publicize also has the power to "patch" it by getting Google to ban the extension, the specific choice they made doesn't make sense to me. Either publicize and leave out the unfixed detail, or ban it, then publicize.
As a chrome user, I have the right to be annoyed that Google would disclose an issue with an extension on their store, without giving enough time to fix it nor banning the extension. That makes it different from other instances of disclosure, and to my mind shifts the balance closer to not disclosing.
Regarding tone: several of my "shoulds" were implicitly "if they follow their own policy, then they should". If that wasn't clear, then my comments may have sounded more confident than warranted, although even that implication still seems like a valid position to take.
Edit: also, my argument that it hurts users is also presuming that full disclosure hurts users, which is what Google believes, which is why they have the 90 day policy.
If they manage to keep XSS vulnerabilities off of the pages on their domain(s) for longer than a year I'll be very surprised.
Personally speaking, I'd rather know. If it's a piece of security software it's reasonable to assume the bad guys are already looking at it or using it.
