[attentive]

Is it true though? - he says "when we develop fixes for issues in RHEL, we don't just apply them to RHEL - they are applied upstream first, to projects like Fedora, CentOS Stream or the kernel project itself, and we then backport them".

That contradicts to reports like https://news.ycombinator.com/item?id=36484207

"Additionally, CentOS Stream updates often lag behind RHEL updates. This is because Red Hat won't commit an embargoed security update to CentOS Stream until after it ships in RHEL, so the developers responsible for the update will sometimes forget to commit it to CentOS Stream until a week or two after it's shipped. You end up in a weird position where you get most updates faster than RHEL users, but you often have to wait to get critical security updates. "

[bonzini]

It's true that important or critical fixes (embargoed or not) are applied to RHEL before CentOS Stream. Forgetting to apply it seems unlikely because it would be marked as a regression in the next minor release of RHEL. Usually all the red tape is ready and you only need to "git push" as soon as the RHEL packages are shipped.

If not embargoed, however, they are still applied to Fedora first. But most fixes of that severity are embargoed anyway and therefore the patches simply cannot be applied to public source trees without breaking the embargo rules.