In a same manner CloudFlare had it before the disclosure, OpenSSL team should've contacted major GNU distro (Debian, Fedora, Arch) packagers privately and do the announcement as new releases hit the repos (i.e. not having a 4-8 hour window, given the bug's pretty much critical).
Nope; package maintainers said they didn't get notified, and OpenSSL explicitly has no notification mechanism for such things. CF found out because the private entities which found the bug warned them a priori with a request to not disclose it to anyone else. See also: https://news.ycombinator.com/item?id=7549986
