If you notify the kernel and they ship a fix, it seems reasonable to expect that they will communicate the fix to the distros.

I see this as an organizational failure of the Linux ecosystem. There should be better communication between distro and kernel development.

The reporter clearly knows the distro fixes have not been shipped, read their report. They chose to disclose anyway.

	▲	john_strinlai 41 minutes ago \| parent [-]
		>They chose to disclose anyway. yes, because 30 days had passed from the time the patch landed in the kernel, as per industry standard. approximately every security researcher, including the likes of google and other big names you may know, does a 90+30 disclosure, which is what happened here. they do this for good reason, which has been figured out over decades of experience in reporting thousands and thousands of vulnerabilities. the only security researchers i know of that dont like 90+30 actually argue for shorter timelines (or immediate disclosures).