missing the point...
...arguing about how long is reasonable. My issue is: just who appointed Google as the global security patch police force?
We could end up with a tit for tat battle, Microsoft might find a problem with some Android code and declare that they consider it so serious that in their opinion 30 days should be long enough for Google to fix it so release exploit code on day 31.
Arbitrary timescales are no benefit to anyone - if a serious zero-day exploit crops up, Google's 90 days is inappropriate but by all means publish exploits for the "2038 Unix Millennium Bug" or the Y10K bug and if anyone has failed to patch over the next 23 years subject them to as much criticism as you like - but don't chastise them for not doing it within 90 days.
IMHO publishing details of a potential exploit before a patch has been released is irresponsible (I'll make an exception for the Unix Millennium Bug!). I'd like to think that any organisation which then suffered a successful attack using an exploit prematurely publicised would have a legal case for liability against the leaker upheld.
How long is reasonable to fix a problem depends on the problem. Some are trivial to fix others may have repercussions elsewhere in the codebase and need extensive effort and regression testing.
Some issues will be easy and damaging to exploit others are so obscure that the real world risk, even if details of the exploit are published, that the bad guys won't find it worth their while to utilise.
We've all seen bug fixes that result in an unforeseen side effect. We've seen fixes reverted. Many adopt a policy of not implementing (non-critical) patches immediately preferring to wait for others to deliver feedback on effectiveness. We may choose to hold-off Windows 10 but await Windows 10.1.
I don't want developers pulled off a serious problem to focus on an obscure exploit that a competitor has chosen to publicise because they've known about it for nearly 90 days.
By all means pressure developers who appear to be dragging their feet on patches but there are safer ways. How about publishing a simple graphical representation of known bugs by age, perceived severity and company without identifying the actual exploits. And how about that being done by someone without their own agenda of covering their own shortcomings while trumpeting those of their competitors.
This shouldn't be about corporates point scoring over each other, it should be about keeping your and my computing environment safe.