[nbsd4lyfe]

Notify groups who have to develop fixes (in this case: OS, compiler developers). Especially when they have a record of not violating embargoes and good faith in fixing issues.

When the longer time for fixes is done, post an announcement in private pre-disclosure lists.

For a very complicated change, give a few days of private testing and provide patches and details to groups that must apply the patches (oss-sec distro list, etc.)

For a simple one with existing backports, notify that <DATE> is publication date for a type of vulnerability to <PROGRAM>.

Wait 2-4 weeks to publish a working exploit.

Don't notify bodies who don't have their own custom code that must be fixed, but happen to pay you enough money.

The latter is actually what happened in this case and it's immensely frustrating.