Google is hardly the first people to come up with the notion of responsible disclosure. Whether you agree or not with the practise, the goal is to balance the needs of the maintainer with the needs of consumers. In practise such practises have massively boosted security of computer systems.

There is a lot of historical context with this sort of thing that has lead to systems like this that has nothing to do with google.

Besides google did not sign an NDA, they aren't under any obligation to keep anything secret. 90 days is a courtesy. They are fully within their rights to just publish their findings immediately if they felt like it.