The time line is also interesting, BTW:
Disclosure timelines are some of the most entertaining and educational
reading in security advisories. There's now (finally) enough data for
somebody somewhere to do a quantitative study on reported timelines,
including typical vendor response times, and issues in the process. (If
someone wants to pursue this, feel free to contact me to bat ideas
around.)
A lot of researcher timelines show a delay between the original discovery
and vendor notification. In some cases, this can be due to additional
time required to prove that the discovery is exploitable in order to give
a more reliable report to the vendor, but that's not always the case.