Currently there are laws in place in the EU, as far as I remember, that, after some time, give you the right to publicly disclose even unpatched vulnerabilities that affect current systems, as long as they have been properly disclosed.
Additionally, to this day, I am not aware of any lawsuit against Google for the Project Zero 0-days that it dropped.
I’m not saying this is the right way or what I would do, it’s just another opinion that I’d like us to discuss here today.