Tavis Ormandy started tweeting at AVG about this subject several months ago.
And it's been pointed out that they aren't able to remove the extension from users' machines due to how it bypasses the Chrome security system. So their best bet was to ask AVG to do the right thing. AVG won't or can't.
So, what can Google do? Just silently accept it? The 90-day policy is worthless in this case.
I went back through his tweets to 2014, searched AVG, and found nothing before Oct, and that wasn't a request for contact, which came in December.
The report is dated from this month.
Re removing it: they can remove it from the webstore. As long as it's in the webstore, they shouldn't be releasing 0-days that haven't been patched yet.
You expended a lot of effort on what could have been easily resolved by asking me. The XSS that you're concerned about was for illustrative purposes only, and could not be used in an attack due to mixed-content errors.
I don't really want to discuss disclosure ethics with you, but will say that our documented policy was followed to the letter.
And it's been pointed out that they aren't able to remove the extension from users' machines due to how it bypasses the Chrome security system. So their best bet was to ask AVG to do the right thing. AVG won't or can't.
So, what can Google do? Just silently accept it? The 90-day policy is worthless in this case.