There is practice used by many software companies to silently fix bugs, especially security related bugs and flaws. It is intelligible in some way, if those flaws are not publicly known. But, otherwise if those bugs are known and publicly reported by various incident response teams, this silent practice could be strange in some way. This practice has been used by some big companies also, for example by Oracle.
At https://www.red-database-security.com/whitepaper/cpu_july_2005_silently_fixed_bugs.html you can find interesting list of silently fixed security bugs in Oracle Critical Patch Update July 2005.
Red-Database-Security GmbH (https://www.red-database-security.com/) is specialized in Oracle security only. As it is stated on web site, their mission is: “Make Oracle software more secure and help our customers to protect their most valuable data”. Also, according Red-Database-Security, Oracle is really slow in fixing security issues.