For example we could announce the release publicly and at first only publish the binaries and announce an exact later time for the source code release. Shareholders trusting us (or me, actually) would install the binaries and reduce the risk. Others could wait for the source code release but would have to plan to upgrade quickly to reduce the risk of the flaw being exploited (unless enough shareholders installed the binaries).
Note that with the gitian process it is possible to verify after the source code release that the binaries I provided were built from the same source code.