Most patches inherently reveal the vulnerability they fix. Patches not being controlled would be a loophole big enough to fit a whole planet through.
And private patches are a thing. Vendors often distribute an early version of the patch to major customers for validation testing.
Or if you like, substitute "patch" for vulnerability information that enables a workaround. You can defeat Heartbleed by turning off TLS heartbeat support but that information is enough to quickly reverse engineer the vulnerability.
The actual proposal is dozens of pages of legalese that would take a team of lawyers a week to decipher. I have no idea what it says because it is totally incomprehensible.
That's half the problem. If you're AT&T or Google you can hire said team of lawyers to tell you what it says, but what is an individual graduate student or security consultant supposed to do?
The other half of the problem is that what it says doesn't change the outcome, because the insolubility of the issue comes from economics rather than policy. There is no policy that will keep vulnerability information out of the hands of the bad guys only, because there is no practical way for most people to even identify who the bad guys are.
And private patches are a thing. Vendors often distribute an early version of the patch to major customers for validation testing.
Or if you like, substitute "patch" for vulnerability information that enables a workaround. You can defeat Heartbleed by turning off TLS heartbeat support but that information is enough to quickly reverse engineer the vulnerability.