Release Lag Disclosure

A security fix lands in a project's mainline branch as a public commit, often with a commit message that names the bug class. The next release tag is cut weeks, months, or longer afterward. The git log carries the de-facto disclosure during the gap; package managers that resolve to release tags continue to install the unfixed code. The CVE catches up to the release, not to the fix. The gap between fix-commit date and CVE-publication date is the window in which the bug was public for anyone reading source and unmitigated for everyone running binaries.