they disclosed 30 days after the patch was merged in the thing they reported to.

its the same disclosure policy as google's project zero, and several other major players, so you should probably be trying to ping a lot more people

reporters should not be responsible for finding out and individually reporting to every downstream consumer. blame the kernel security team, who is in a much better position to coordinate notifications to individual distro security teams.