On 06/26/2014 10:15 AM, David Gerard wrote:
NDAs for security bug access are pretty much standard, aren't they?
I don't know about "standard" but they are certainly common in cases where said software has a large installed base and early disclosure of a vulnerability would place them at risk without being able to protect themselves. It's not about avoidance of being "transparent" but to give a bit of protection to third parties - note how fixed security issues are moved from security back to their "real" components when being closed.
-- Marc