Is it too early to discuss what happened until more users upgrade?
I am interested in the meta-discussion, about security policy.
In other open source projects, representatives of "key parties" tend to gather on a "vendor security" mailing list that is closed to the public. Vulnerabilities that might have real world consequences are discussed there, and then a coordinated release occurs, where all key players publish the security fixes at the same time.