I totally understand the reasoning here, but I don't like it. 90 days is the grace-period. At what point do we stop giving out time extensions to fix vulnerabilities?
Right now it's a max of 104 days...who is to say that some software vendor doesn't make a big stink about that because they could have released a fix in 120 days?
Does the madness of additional time added before public disclosure only end when a vulnerability is responsibly disclosed, and then there is widespread exploitation in the wild before the software vendor's 90 or 104 days expire?