they disclosed 30 days after the patch was merged in the thing they reported to.

its the same disclosure policy as google's project zero, and several other major players, so you should probably be trying to ping a lot more people

reporters should not be responsible for finding out and individually reporting to every downstream consumer. blame the kernel security team, who is in a much better position to coordinate notifications to individual distro security teams.

The security research community would run you out on a rail if you tried to take a successful research product and attach mandatory disclosure norms to it.