By default, vulnerabilities are set to be immediately visible. This means any project team member can see the vulnerabilities right away. This is by design, to help information flow faster to the right people and to reduce Time-To-Remediate (TTR). However you can choose to set Visibility to No which will place the vulnerability in the Pending state. Only users with Edit permissions on the project will be able to see the vulnerability (for quality review, tech review, peer review).