[cortesoft]

Isn't that a pretty standard bug bounty requirement? The idea is that you submit the bug to the company and they fix it before it is disclosed.

[throwawaymath]

It is standard in the sense that it's not uncommon. But about as frequently it's not a requirement. Many companies allow complete or partial vulnerability disclosure once resolution is complete. It's often on a case by case basis and requires approval.

[cortesoft]

Oh, I thought that was what you meant (until resolution).. didn't realize they block disclosure forever