On 06/26/2014 10:15 AM, David Gerard wrote:
NDAs for security bug
access are pretty much standard, aren't they?
I don't know about "standard" but they are certainly common in cases
where said software has a large installed base and early disclosure of a
vulnerability would place them at risk without being able to protect
themselves. It's not about avoidance of being "transparent" but to give
a bit of protection to third parties - note how fixed security issues
are moved from security back to their "real" components when being closed.
-- Marc