[rovr138]

Not sure how this,

> Co-ordinated disclosure aims to prevent all of that by ensuring everyone knows about it at the same time

helps with this,

> Even in the case of automatic updates, patching can be delayed if it requires an app restart, for example.

Not saying they don't have a use-case. Just not sure how it's fixed.

[BeefWellington]

For starters, it (hopefully) delays when a bad actor knows about it, meaning they start their process of reverse engineering the vulnerability after customers have been notified.

There are always going to be situations where out of date software hangs around. This at least levels the playing field when compared to the idea of trying to silently patch something.

[hazmazlaz]

It is common for organizations to delay routine patching for some fixed period of time (allow others to be early adopters and assume the risks of negative impacts from the patch), and/or schedule patches to occur during a predetermined maintenance window.

When you make a public security disclosure coordinated with the release of a patch to fix the issue disclosed, you alert the aforementioned organizations that there is an exploitable security vulnerability present and allow them to make an educated assessment of the comparative risks of patching immediately versus waiting and potentially being exploited.

It's not a perfect system, but transparency is the best compromise possible and allows everyone to make an educated choice. All other options have greater downsides.