I think this is the regular modus operandi in these days: CVD
In computer security, coordinated vulnerability disclosure (CVD, sometimes known as responsible disclosure) is a vulnerability disclosure model in which a vulnerability or an issue is disclosed to the public only after the responsible parties have been allowed sufficient time to patch or remedy the vulnerability or issue.
So the devs get enough time to prepare a fix before the public gets informed that they should update their software.
I think this is the regular modus operandi in these days: CVD
So the devs get enough time to prepare a fix before the public gets informed that they should update their software.