These are all points well taken. I'd just say, don't look for any kind of coherent fairness in vulnerability embargo lists. Certainly, if you're a fork that the upstream doesn't want to exist, I don't think there's any norm that you'll automatically be included. I'm irritated about a number of embargo lists myself, but if the vulnerability researchers wanted to include me, they could, regardless of what IBM thought.