So, there is some history of organisations doing a poor job at managing security bugs.
We saw the “This is not really a security hole” jokes just to avoid having bad statistics in the front page. We saw the “OMFG you must update to the latest version RIGHT NOW and no I’m not telling why” panic.
We still frequently see security fixes hidden in unrelated public commits, just to make them harder to backport for distributors.
But really, there is absolutely no match for that. Kudos for setting a new standard in the worse way of dealing with security issues, guys.
Update: one of the developers has started insulting a pair of professional IT security experts who came and tried to educate him. Awesome reading, don’t forget the popcorn.