>Brother, it is a simple email to a mailing list.

just as a note, its not as simple as firing off an email to linux-distros and calling it a day.

qualys, one of the big firms (10,000+ customers across 130 countries. i.e. "professional researchers"), has even taken a stance against emailing linux-distros because of the restrictions and policies involved:

    > Although contacting the linux-distros list has been clearly beneficial
    > (they have thoroughly reviewed and tested the patches, and were able to
    > prepare their kernel updates beforehand), we have reached the conclusion
    > that it has become increasingly difficult to coordinate the disclosure
    > of kernel vulnerabilities with both groups (the Linux kernel security
    > team and the linux-distros list), because they have very different
    > policies. From now on, we will coordinate the disclosure of kernel
    > vulnerabilities with the Linux kernel security team only. We also
    > apologize in advance for this.

Of course you want them to have sent an email to a mailing list. You're on a message board, and weren't involved in their disclosure process. Why not ask for everything that sounds reasonable to you? There's no cost to it for you. Maybe you can set their OKRs while you're at it.

There are (some, loose) norms of vulnerability disclosure, and this isn't one of them.

Have you considered that maybe it’s not the way it’s done?

It’s certainly a thing some people do. But there is not a unified consensus on how to handle vulnerabilities. Different security researchers (or, in fact, the same researchers releasing different findings) can and do take many different courses of action.