[awill]

You're obviously a Red Hat employee. It might be worth disclosing it.

I don't quite agree though. Sure, RH can decide when to patch, but a researcher isn't wrong just because they say "Hey, RHEL isn't patched".

Should RHEL be patching sooner? Maybe. Though I get patches can have unintended consequences. However, I like the idea of a third part scrutinizing this stuff. Otherwise companies will do the wrong thing and claim their security posture is perfect.