Re: Good Job
Of course there are some bugs that take longer than 90 days to fix (and test and release). But if one lot of researchers have found it, so will another - and they might be exploiting it. Just because it takes a while to fix doesn't mean the blackhats will hold off too.
If 90 days is too short, then the vendor should offer a workaround instead, or at least a warning to disable some feature. Just keeping it quiet isn't a reasonable option.