Sorry for the late reply. While that's a good example of a vuln that's not "owned" by the affected party and mitigation would be hard to create and distribute, IMO we should still make it public relatively quickly because we can't know whether it has already been discovered by someone else. The public as a whole will likely create countermeasures like patches or workarounds more quickly than a small subset comprising of OS developers and CPU vendors. Personally, I might heavily restrict using JS on random sites or downloading random binaries or scripts (even if they're virtualized), virtualize whatever I can (it seems the 2 previous actions are contradictory, but virtualization could help so why not), separate some data and processes on different physical machines or use a different CPU architecture for some things.