Aggressive
I'm for full disclosure but I do find Rapid7's policy aggressive. The standard policy Rapid7 follows is to file a CVE after 15 days if they don't hear back from the vendor; the CVEs filed with CERT/CC are private for 45 days (if the filer doesn't choose to make it public earlier..) So basically you'd have 60 days to get a patch out to customers then the CVE is public anyway, feel free to publish exploit^H^H^H^H^H^H proof of concept code and all that. That part seems fine! But...
Rapid7's argument is valid, when a company is putting out security patches it's pretty easy to take a peak at them and it points you straight to the exploit. There was a big problem in the past with companies just blending in the security fixes with product updates, people were frequently running vulnerable software because they're like "I don't need these new features" and there was no disclosure of the security content of the updates. Truly silent patches.
And I even think this "24 hours disclosure after a hidden patch" is fine for companies that truly do silent patches -- they are typically trying to hide security fixes in with general updates for their software, "sweep it all under the rug." Since people aren't told there's a security update, they had no urgency to update. If the software has an automatic updater most people's copies may be updated within that 24 hours anyway, otherwise many people may never update it. So in the case of a true hidden patch, disclosure after 24 hours versus a month or 45 days would likely make little difference.
But it seems like a pretty perverse interpretation of their own rule on Rapid7's part to consider this a silent patch... After all, JetBrains filed a CVE (which would automatically disclose in 45 days), created a patch that was specifically described as a security patch, and then E-Mailed their customers to tell them "This newer JetBrains fixes important security holes, please install it, but here's a patch for your current version". I don't know how that is a silent patch, and given this needs some manual intervention to install (it's not going to auto-update itself..) it seems perfectly reasonable to at least give people a few days (like a week maybe if not that full 45 days) rather than 24 hours to get those patches installed before full disclosure time.