It was 2 months to notify the public but once it was detected these companies notify those 30 entities. They dont really state how long the action could have been taking place. For instance with Brave's research into AI browsers prompt injection attacks the Brave team notifies the company and has waited typically a couple of weeks before releasing the information publicly.