Imagine how much quicker the distros would have reacted if they were given a heads up a month ago. But, sure, I guess kudos to this company for not being actively criminal, and merely bumblingly incompetent and overly eager to get their marketing pitch out the door.
to which distros? how do you ensure fairness? Do you report this to the maintainer of Red Star OS (north korea)?
The kernel security team was given the heads up a month ago. At that point it is their decision.
There are channels like the distro security mailing list https://oss-security.openwall.org/wiki/mailing-lists/distros for this purpose.