> 1. because the policy is "mandatory disclosure", it's way harder to criticise it if it's a blanket, universal policy

"It's harder to criticize"? So the reason to put users at risk is to... solve a PR problem?

> 2. disclosure is important for users because if the issue is not publicly disclosed they might not update their systems

Hold on. You're actively injecting a threat and guaranteeing that everyone knows the exploit immediately and that it can be deployed by lots of people on a wide scale because someone might discover it someday?

Can't you just at least easily address this by at least putting a reasonably long time gap between the patch and the disclosure? People will still have to update their systems in the interim due to previous patches' deadlines expiring...

Yes, but a time gap of knowledge is just one dimension, whereas I see a gap in every other dimension too. I expect that not every bad actor who would learn from a PoC would learn from a binary, not every one who would learn that actually invest the time to write an exploit, not every one who invests the time would actually come up with an exploit in such a short timespan, and not everyone who does all that will target the same set of customers. Furthermore, as I said in another comment, the existence of prior patches would mean people would still have to update regularly because those disclosures would be expiring anyway, so it's not at all clear to me adding a delay would change that. And there are probably other dimensions I can't think of right off the top of my head.

There should be an easy way to settle this, which is with data, which I have not yet seen anyone point to. I would be shocked if data showed that the number of actual customer systems hacked actually decreases when a PoC is provided quickly after a patch, vs. when this is not the case.