As a separate datapoint, Google's Project Zero has a default 90 day public disclosure period too.
Generally, it's highly likely that the (really) bad guys already know about the exploit. Leaving the exploit known only to them and the vendor doesn't help the most vulnerable (ie, those targeted by the (really) bad guys)
~3 months is also a reasonable amount of time for coding, review, testing, QA, etc. I don't know if the author was up front about the 90 day deadline with Apple, and if not, that's not particularly friendly, but it's not out of line with other major players in the space.
As a separate datapoint, Google's Project Zero has a default 90 day public disclosure period too.
Generally, it's highly likely that the (really) bad guys already know about the exploit. Leaving the exploit known only to them and the vendor doesn't help the most vulnerable (ie, those targeted by the (really) bad guys)
~3 months is also a reasonable amount of time for coding, review, testing, QA, etc. I don't know if the author was up front about the 90 day deadline with Apple, and if not, that's not particularly friendly, but it's not out of line with other major players in the space.