1) the vulnerability is local, not directly tied to spreading as malware (but these days placing JavaScript in an ad is easier and possibly more effective than a virus...)
2) there is no such thing as "exposition carefully publicized so the flaw is not exploitable by malicious hackers". Just assume that black hats are as smart as white hats or smarter.
> 2) there is no such thing as "exposition carefully publicized so the flaw is not exploitable by malicious hackers". Just assume that black hats are as smart as white hats or smarter.
You're missing the point. Not doubting the smartness of black hats, white hats likely took their time to discover the flaw. If you make the details public in a controlled manner and then announce the fixes shortly after, you essentially did not give black hats enough time to fill the missing pieces of the public announcement.
For instance, in the extreme case, the statement "we have discovered a flaw at the hardware/CPU level in such and such chips, and we call it meltdown and spectre", it's pretty obvious the black hats would have no clue what it is. (They may have already discovered it on their own, and may have named the flaws something completely different. Even then they wouldn't know if white-hats discovered what they discovered.)
unfortunately the fixes are in an open source project so even if all they knew was that there was a CPU level exploit and that specific code fixed it, black hats would still have a weaponised exploit before most people had patched their systems.
Is the exposition carefully publicized so the flaw is not exploitable by malicious hackers?
Or does Project Zero expose everything, and a malicious hacker can read it and create code that spreads over the internet to harm computers?
I hope it's not the second case because that should cause global panic.