That’s the usual method for handling security flaws discovered by third parties.
The researcher contacts the company to inform them of the flaw and of their publication date. The company agrees to wait to announce until that date, but will work with the researcher on fixing as much as possible and the researcher will normally note that cooperation and any flaws that have been fixed as an addendum to the original work.
Publication date comes, researcher releases their paper, company puts out their reply press release on the same day or the day after.
That way researchers have a motivation to work with the companies but still preserve the freshness of their own research.
That appears to have been what was done here. On May 2, there was an official post to the smartthings blog about the issue, and I believe anyone who subscribes to the blog would’ve received an email notification about it.