[gpm]

Yes.

I've never had to do it myself but I believe that's common practice with embargos on security vulnerabilities.

[jethro_tell]

And, If you break the embargo too many times then you just find out with the rest of us and that's not a great way to run a distro. I believe openbsd is or was in that position around the time of the intel speculative execution bugs.

[bombcar]

It can lead to amusing cases where the intentional vuln comes in "to improve x" and the quiet fix comes in "to improve x".