What if you try to go with the second option but the vendor barely puts any effort into getting the fix out to user and then it's a year later and the vulnerability is still under embargo? Maybe you decide that the next time you find a vulnerability you want to light a fire under the vendor by giving them a fixed deadline to get the fix out to users. A month seems like a reasonable deadline for that sort of thing.