You've described states one and two as outlined above.

Whether a bug is exploitable is an entirely separate category of unknowable, because seemingly-innocuous bugs quite often have very deep and very subtle implications that when combined with another innocuous bug, result in an RCE or PE.

Therefore, it's sensible to treat all bugs as potential threat vectors unless and until proven otherwise. Which brings us full circle: state 3, all bugs being public, is probably the safest thing because nobody can know if a bug is in state 1 or 2.