He could have if he wanted to. He could have disclosed immediately if he wanted to.
Google does not have a hard policy to disclose. GPZ does. Vulns in external products found through other groups within Google do not share all the same processes as GPZ.
GPZ is not some independent entity google just funds, they are as much part of Google as any other team.
If you want to be that precise, it is bad look for part of your organization to have hard policy that you expect external companies to follow, while parts of your organization itself cannot do the same.
I am not saying Project Zero is wrong, clearly giving more time did not prod Google to actually fix timely, he certainly was being too polite and gave too much time, I don't know why, perhaps companies don't pay bounties if you disclose without their consent [2] ?
All I am just saying Google as a company should hold itself to the same hard standard and fix issues in 90 days this is what Google Project Zero as a team expects other companies[1] to do so, they will even reject requests for extensions.
As a company if they can't do it, they shouldn't expect others to do it either right? Or they should disclose reported vulnerabilities even if not fixed in 90 days.
[1] Maybe they do it for internal teams as well, but that not relevant to us, all we should be concerned is how they behave externally with disclosing and solving issues.
[2] Perhaps part of the reason GPZ is able to do this hard policy is because they don't depend on bug bounties as source of income as independent researchers do.
Google does not have a hard policy to disclose. GPZ does. Vulns in external products found through other groups within Google do not share all the same processes as GPZ.