I clicked through a few, they mostly don't seem like they need to be private to me. I can ping some Chrome developers and say you want them public if you like, it seems fine to me... I would have just made these public. 
-
-
-
Replying to @shhnjk
I checked, they said just comment on the bugs you want opened or ask via usual channels
1 reply 0 retweets 1 like -
Replying to @taviso
Got it. Hope you can now believe that it’s difficult for even Chrome to fix all vulns within 90 days
1 reply 0 retweets 4 likes -
Replying to @shhnjk
When did I say that all vulnerabilities can be fixed in 90 days? I certainly think that all of those bugs could be fixed in 90 days, but it's a totally rational decision to not fix them and I do think they should be public.
1 reply 0 retweets 4 likes -
Replying to @taviso
Yes, I agree that if some vulns aren’t being patched for a long time, those should be made public to protect users. But 90 days for all vulns seems difficult. And I believe mandating the deadline makes less important bugs being prioritized over important bugs, and that’s bad
2 replies 0 retweets 6 likes -
Replying to @shhnjk
I agree that making it public will protect users. If Microsoft can't find the resources to fix all the vulnerability reports they receive in three months (!), that is very worrying indeed. Do you think users should be more aware that is the case?
1 reply 2 retweets 11 likes -
Replying to @taviso
Hmm, have you read my previous reply?
I don’t think all the vulns should be fixed within 90 days. And I just gave you a list which also showed that Chrome can’t fix all vulns within a year (!). I have another list for 90 days
1 reply 0 retweets 2 likes -
Replying to @shhnjk
You're confused. Nobody thinks that everyone must fix every bug in 90 days. *I* think that if you believe a bug is so dangerous that it cannot be safely discussed in public, then you should fix it in three months. I think it's safe to discuss those bugs you listed in public
1 reply 5 retweets 26 likes -
Replying to @taviso
1)some bugs are restricted not because it’s too dangerous to discuss publicly, but because exploitability or exploitable components are unsure, will be patched soon and no benefit on disclosing it earlier, and so on. So disclosing all vulns after 90 days doesn’t always make sense
2 replies 0 retweets 2 likes
Sigh. Fine, if you think a bug might literally be too dangerous to discuss in public but haven't bothered to find out yet, then I think it's pretty reasonable to expect you to find out if your users are at risk within *three months*. Agreed? 
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.