They don't have to publish a working exploit as soon as the embargo is broken, though.
The third party posted an exploit.
Perhaps, but if the exploit code is published folks can double-check that they implemented the mitigations properly.
If there's no PoC, how can you really be sure?
anyone who will use the exploit maliciously will immediately and trivially be able to create a working exploit.
An exploit was already published.
Why not? There has already been a working exploit floating around, at least now it comes from an authoritative source.
The third party posted an exploit.
Perhaps, but if the exploit code is published folks can double-check that they implemented the mitigations properly.
If there's no PoC, how can you really be sure?
anyone who will use the exploit maliciously will immediately and trivially be able to create a working exploit.
An exploit was already published.
Why not? There has already been a working exploit floating around, at least now it comes from an authoritative source.