As Google products must be compatible with Microsoft and other vendor software, the Google security research teams give a 90 day period for vendors to patch and will automatically publish details once the deadline is reached.  While this policy forces vendor to update in the next release, there is some risk in publishing vulnerable code details which can be exploited into a malware attack, as the vendor prepares finalized release.  Google documents it developed this policy to protect it’s users on those impacted vendor platforms.   Conversely, many security professionals favor only private disclosure.

http://www.eweek.com/security/is-90-days-enough-google-releases-details-of-unpatched-microsoft-flaws.html

With Microsoft canceling an update on Feb. 14, the company missed patching two vulnerabilities in time to meet Google’s 90-day deadline. For the second time in as many weekends, Google released details of a security issue in Microsoft’s software, which the Windows maker failed to patch after postponing the release of a regularly scheduled update on Feb. 14.

Google funds a group of researchers known as Project ZeroThey publish details of security flaws after giving the software vendors 90 days or less to fix the issues. Both of the vulnerabilities in Microsoft software were found last November and their details scheduled to be disclosed this month.  Microsoft typically releases software updates on the second Tuesday of the month, but scrapped plans for a February update—which would have landed on Valentine’s Day—when it detected an unspecified issue with the fixes.

Google did not respond to a request for comment, but Microsoft provided a statement. “We believe in coordinated vulnerability disclosure, as disclosing before a fix is released could put customers at potential risk,” the company stated through a spokesperson. “Microsoft has a customer commitment to investigate reported security issues and proactively update impacted devices as soon as possible.”