There are dedicated teams of people who are highly skilled, well-funded and working full time at finding exploits with the intent of selling or using them.
The bad guys already have the vulnerabilities long before the good guys do.
Lower-skilled criminals and script kiddies who are relying on disclosure before they can do anything are far less ambitious and do far less damage.
Stuxnet and recent high-profile banking malware all employed legitimate 0day and did real damage to people. Vulnerability disclosure contributed nothing towards that.
But I'm not saying this to convince you, I'm saying this to keep my stuff secure. Google doesn't choose 90 days out of a sense of anything other than what's good for Google and its shareholders.
The bad guys already have the vulnerabilities long before the good guys do.
Lower-skilled criminals and script kiddies who are relying on disclosure before they can do anything are far less ambitious and do far less damage.
Stuxnet and recent high-profile banking malware all employed legitimate 0day and did real damage to people. Vulnerability disclosure contributed nothing towards that.
But I'm not saying this to convince you, I'm saying this to keep my stuff secure. Google doesn't choose 90 days out of a sense of anything other than what's good for Google and its shareholders.