Sounds like a job for the Linux Foundation maybe?
You don't need anyone's permission to make a distro, that's true, but if you notify Debian, Canonical, Fedora, Red Hat and Arch you're covering a very large fraction of users; way more than today's 0%. In cases like this, perfect is the enemy of the good.
The Linux Foundation hasn't been about Linux (except marginally) in a long while, if ever.
The name is a misnomer.
A rogue actor may create a new distro, maybe for some niche use case such as accessibility or retro gaming. After acquiring enough false (and even some real) users that the Linux Foundation accepts them as a notifiable distro maintainer, this maintainer could then pwn machines before the exploit is made public.
I didn't say all distros should be notified, for that exact reason. I listed a handful of major fistros.
Who gets to decide who the lucky few are?
Sounds like a job for the Linux Foundation maybe?
Human beings
Qualified by what?
Are you implying it requires expertise to figure out the ten (plus or minus a factor of two) biggest distros? I think most people that understand the context of the question can figure out pretty similar lists.
Rather than the current situation, where they can pwn machines after the exploit is made public?
Yes. After the exploit is made public, the window of opportunity closes quickly.
Not if people don't get notified!