Sure, but the alternative the author proposes not only allows for time for those scanners to run but explicitly models that time as a formal part of the release process.

Status quo (at least in most language's package managers) + cooldowns basically means that running those checks happens in parallel with the new version becoming the implicit default version shipped to the public. Isn't it better to run the safety and security checks before making it the default?

Security people should love a delay in distribution as packages wait in the queue. Then they have an opportunity to report before anyone else.

"This plan works by letting software supply chain companies find security issues in new releases."

If it was that easy we'd simply find all vulnerabilities before the release. If the supply chain companies can run the scanners you can (and should) run them too. Even if we assume there is more to it, it would make sense to let those companies do the work before GA.

But it is not that easy. The true value comes from many eye balls and then we are back at cooldowns being some eye balls grifting others.

I feel like this is false. These companies mostly seem to monitor social media and security mailing lists with an army of LLMs and then republish someone else's free labor as an LLM slop summary as fast as possible whilst using dodgy SEO practices to get picked up quickly.

They do do original work sometimes. But most of it feels like reposted stuff from the open source community or even other vendors

Exactly. In fact, we as a society pay them the same way we should pay artists: exposure.