[ori_b]

Yes, if you release the vulnerability as soon as possible, that's a good choice. If you have an embargo and make sure that fixes get out to users in a timely manner before ending the embargo, that's also a reasonable choice.

If you're going wait a month between landing the patch (possibly notifying attackers), but not notify the people who may get the patch to users, it seems like something was mishandled.

[sehansen]

What if you try to go with the second option but the vendor barely puts any effort into getting the fix out to user and then it's a year later and the vulnerability is still under embargo? Maybe you decide that the next time you find a vulnerability you want to light a fire under the vendor by giving them a fixed deadline to get the fix out to users. A month seems like a reasonable deadline for that sort of thing.