[ZeroSolstice]

I would add the additional problem of CVE's being devoid of any useful information which lead to generic tests being created by vulnerability scanners as they have the same lack of insight as everyone else thats trying to patch the issue. Thus creating higher false positives or wasted effort trying to confirm an exploit yourself. I get not wanting to provide a PoC because "script kiddies" might use them but if we want vulnerabilities patched regularly you have to provide better assurances that they are valid and that we can show they are patched aka tests.