Google’s Project Zero changed vulnerability disclosure policy for 2020

Project Zero changed in a trial 12-month mode its vulnerability disclosure policy to faster and improve patch adoption and development. Starting from 2020 Project Zero will keep information for full 90 days by default, regardless of when the bug is fixed unless there are special mutual agreements with vendors to disclose it earlier. If a vulnerability is not fixed within 90 days, Project Zero may grant an additional 14 days for vendors upon request.  After 90 days the team will automatically publish tracker reports for bugs and vulnerabilities.