It’s a commonly followed practice for some people. Notably it’s what was done here: they coordinated disclosure with the Linux kernel devs. And now folks are angry that they didn’t also coordinate with yet more downstream projects.

> For reference, the standard is 30 for the developer to fix and 90 for it to land on machines.

I’ve never seen that as a standard anywhere.

Are you thinking of this? https://projectzero.google/vulnerability-disclosure-policy.h...