You're trying to extrapolate on this specific scenario from Wikipedia pages. Have you done any of this work? What have you done when you've reported a vulnerability to an upstream with dozens of downstreams? When your teammates have? You keep talking about "protocols" and "commonly followed practice" and "codes of ethics". Tell us more about the codes, protocols, and practices in your shop.

Nobody, for what it's worth, is arguing that major distros shouldn't have gotten some kind of notice. The problem is that the entity responsible for doing that isn't the vulnerability research lab. In fact, as a general procedural point, researchers can't go contact downstreams. They might be able to do so in the specific case of Linux, but you've tried to spin that possibility into a binding obligation derived from established practices, which: no. That's not a real thing.

It’s a commonly followed practice for some people. Notably it’s what was done here: they coordinated disclosure with the Linux kernel devs. And now folks are angry that they didn’t also coordinate with yet more downstream projects.

> For reference, the standard is 30 for the developer to fix and 90 for it to land on machines.

I’ve never seen that as a standard anywhere.

Are you thinking of this? https://projectzero.google/vulnerability-disclosure-policy.h...

You are strongly implying that keeping the vulnerability secret is following of what you quoted. But that’s the rub. Many of us think the opposite. Not disclosing this would have been the violation.