They started disclosing in July and it looks like everything was very professional and responsible only to publish the week before Christmas.
From the timeline, perhaps CERT/CC could have done more or could have been quicker in their review. 5th December is probably the absolute earliest reporting date, but published on 18 Dec after what I can only guess was nearly 2 weeks for internal review
So, the decision is to publish the week before Christmas or wait until early/mid Jan when staff return and they took the less than ideal option to publish early, presumably in case they were scooped
Also, they only disclose to GMX, Microsoft and Cisco, when they clearly write in the article that there's quite a big quantity of Postfix servers impacted (more than a million by the mentioned figure):
This might not seem bad at first, but looking at affected SMTP software on the Internet is a different story. After testing some popular e-mail software in their default configuration, it turned out that Postfix and Sendmail fulfil the requirements, are affected and can be smuggled to. Speaking globally, this is a lot (figure 31)!
