Yes, 6 months. I reported it to Hugging Face the day I confirmed the backdoor propagated into model weights, not before, because the vulnerability was the lack of detection, not the dataset itself. The dataset was inert without someone training on it. I wanted to measure whether anyone would notice. No one did.