[michaelt]

  NDAs are a real, if insane, thing still to this day

Some of the big security bugs recently have been disclosed to big players like Google and AWS before they were publicly disclosed.

If you want to retain that privilege, you need to show you can keep your mouth shut when security researchers disclose something to you - NDA or otherwise.

[barkbro]

What's the rationale for disclosing vulnerabilities to for example Google before going public (unless the bug is in Google's software)?

[michaelt]

When you release a patch, anyone who gets it can see what you changed and figure out an exploit from that. Because it's good for people to be patched /before/ that happens, some vendors give certain major customers early access to patches - so long as they maintain a proven track record of not disclosing anything about them.

For example, Xen has a 'pre-disclosure list' [1] so if they have a critical security patch, Amazon, Google, Linode, Oracle, Rackspace, and several Linux distro developers [2] get the patches early.

Obviously, we can debate the morality and wisdom of this policy - personally as I haven't discovered any critical security bugs, I've never faced this particular moral conundrum.

[1] https://www.xenproject.org/security-policy.html [2] http://www.securityweek.com/several-flaws-patched-xen-hyperv...

[NeutronBoy]

Because big players can take remedial action prior to the bug being disclosed to protect users - for example, banning a specific framework from browser extensions.

[the8472]

That sounds like an unfair advantage over smaller competitors to me.

[tbrownaw]

Yes. Fair is often not optimal.