From Agazzini's public announcement:
20/08/2016 - First communication sent to IBM PSIRT (psirt at us.ibm.com)
22/08/2016 - IBM Response, PSIRT Advisory 6345 assigned to the bug
05/10/2016 - Communication from IBM with fix information (PI62375)
07/10/2016 - Security Advisory released
Copyright (c) 2016 @ Mediaservice.net Srl. All rights reserved."
Maurizio Agazzini CISSP, CSSLP, OPST"
So IBM received notice on August 20, developed and tested a correction by October 5, and released the advisory on October 7, whereupon Agazzini immediately announced the details to the world.
Many shops have a regular patch cycle that varies in length, but would be unlikely to be less than a couple of weeks except for tiny organizations or very easily exploited patches with very high impact. Most have internal requirements for testing, even of security changes, and a patch cycle of a month probably is fairly common. Publicly releasing details of a major commercial product vulnerability on the same day that the fix is released falls well short of my idea of responsibility unless the vulnerability already is known and being exploited or a trivial mitigation can be applied until the full correction can be tested and installed.
There may be mitigating circumstances like vendor foot dragging, but this case does not show it. IBM moved from notification to correction release in seven weeks, which is not necessarily unreasonable.