There is no one accepted set of norms on disclosure. Any strategy you take, someone will criticize.

I don’t know if “cool” is the word I’d use, but there isn’t an established “right” way to disclose a vulnerability that you found outside of a contracted security review or other employment/contracting arrangement.

mainline was patched a month ago