Often many companies and organizations from many countries are getting informed about such security problems under the embargo. I assume that the intelligence agencies form many countries are also getting these information. Either they are officially informed, because they also protect the government networks or they have just good working relationships with their local companies.
I assume Microsoft would inform the NSA about such things, Huawei would inform the Chinese intelligence agencies and Siemens would inform the German BND.
I can't read from your comment if you think this is A Good Thing. In my opinion it is s Very Bad Thing. None of those entities are more important than everyone else. If anyone should be alerted it should only be those that fix the vulnerability in WiFi devices. Anyone else and not only does the risk of leaks rise exponentially but some of them will rub their fingers with glee and exploit it ASAP.
Embargoes prevent that the average cyber criminal knows about the problems, but the resourceful organizations already get the information before the public knows about them. I think even 90 days are pretty long.
For example 253 vendors were informed about the problem in dnsmasq about 3 months before it was published:
https://www.kb.cert.org/vuls/id/434904 (all vendors listed here were informed)
In each organization probably multiple people know about this.
Long embargoes only give companies cover to continue to not prioritize security or responding to security issues in a timely manner.
That we have had embargo processes for decades is utterly ridiculous. It's time for these vulnerabilities - especially for the ones that literally break everything - to be treated with the urgency they should be.
I assume Microsoft would inform the NSA about such things, Huawei would inform the Chinese intelligence agencies and Siemens would inform the German BND.