hope you are also blacklisting google's project zero, and practically every other major player in the vulnerability reporting space, as all use roughly the same bog standard 90+30 policy.

this was a failure of the kernel security team, and their stance on communicating security issues with their downstreams.