> One hopes that the press release is not the first time that the OOo
> community is hearing about the vulnerability, but that seems to
> be the case
Of course not - it was disclosed (with patches) on the shared vulnerability mailing list; and at least one Apache Committer: Malte Timmerman was subscribed there.
> Perhaps the project was waiting until distributions were able to update
> their LO packages (albeit silently)
Of course - that is standard practice.
> There is no good reason that LO and AOO can't work together on
> security issues, regardless of any other friction there may be
> between the two.
Some co-ordination is of course reasonable, however LibreOffice has developers actively working in this area - which involves fixing innumerable bugs of various risks. Few of these have associated CVE + circus.