Does this mean the end of NDA when reporting a problem?
I wouldn’t count on that, when I look at how the industry now deals with vulnerability disclosure, I expect exactly the opposite in practice, a kind of “catch & kill”, to use a popular term
What I expect is that all those VDPs will say that you can only report the problem to the manufacturer and that they will then have a very long time to look at the problem, in the meantime you are not allowed to go to the press yourself to investigate the leak. report. That would not be according to the procedure and then you would have no protection.
Just for fun, compare the rules that Google imposes on others and the rules they apply to themselves:
https://about.google/intl/ALL_us/appsecurity/
https://bughunters.google…-reward-program-vrp-rules
If Google reports an important problem, you must resolve it within 7 calendar days, otherwise Google will make it public.
If you report a problem to Google, they give themselves a few weeks before you can expect an answer at all. In the meantime, you are not allowed to communicate about it.
To be clear, that is nothing new, it has been going in that direction for a while, this appointment does not change anything. I actually don’t see anything in this promise that users/researchers will be given more protection than before. I don’t say that to be negative about these promises, I believe the intentions are good.
Tags: AWS Google dozens companies pledge secure products Computer News
