...
Once the patches are approved and the CVE is assigned, a signed email with the vulnerability description is sent to the downstream stakeholders by VMS coordinator or other designated VMS member. The disclosure date is set to 3-5 business days, excluding Monday/Friday and holiday periods, at 1400 UTC. No stakeholder is supposed to deploy public patches before disclosure date.
...