Curl maintainer Daniel Stenberg expresses
some frustrations with the vulnerability notification policies
maintained by the distros mailing list.

The week before we were about to ship the curl 8.0.0 release, I
emailed the distros mailing list again like I have done so many
times before and told them about the upcoming six(!)
vulnerabilities we were about to reveal to the world.

This time turned out to be different.

Because of our updated policy where the fixes were already
committed in a public git repository, the distros mailing list’s
policy says that if there is a public commit they consider the
issue to be public and thus they refuse to accept any embargo.

What they call embargo I of course call heads-up time.

The kernel project has run into similar
issues in the past.

Source: LWN.net – Stenberg: Pre-notification dilemmas