The reason for this policy is that if you don’t keep a deadline upstream can just sit on the report forever while bad actors can find and exploit the vulnerabilities, which harms downstream users because they are left entirely unaware that the vulnerability even exists. The idea behind public disclosure is that downstream is now made aware of the bug and can take appropriate action on their side (for example, by avoiding the software, sponsoring a fix, etc.)