>>> Surely the information on the vulnerability is already out there by the time the patch is released?
> No, not necessarily. That's the point of those disclosure timelines.
Sorry for my ignorant comment but that makes no sense to me. Isn't the
whole point of disclosure that Google has reasons to believe that
someone else (independently of Google) could have possibly discovered
the vulnerability as well? I assume Microsoft doesn't just give Google
full and unrestricted access to its infrastructure for Google
researchers to roam around and find bugs. Assuming Google doesn't use
any privileged information to find these bugs (a reasonable
assumption), disclosure timeline of 90 days is very generous for a
company as big as Microsoft and a product as widely prevalent as
Windows.
Who is to say this other entity who discovers this vulnerability won't
exploit it? Yes but not necessarily...
(And as I wrote here it made sense that "not necessarily" is correct.
If you think an argument is wrong, try to come up with a rebuttal. You
might find that the argument is not necessarily wrong and you might
learn something.)