[asadotzler]

That's an exaggeration. Most industry leaders do not require NDAs, only coordinated disclosure.

Mozilla's program, which has been around longer than most, doesn't. Google and Microsoft don't. Meta and Apple don't.

This is water carrying, intentional or not, for a terrible practice that should be shamed, so that it doesn't become standard.

[tptacek]

My understanding is that all Bugcrowd bounties do by default.

You can shame it all you want, but you can also just publish your bugs directly. Nobody has to use the Bugcrowd platform. You don't even have to wait 45 days; I don't buy these "CERT/CC" rules.

[asadotzler]

You said it was pretty standard for bug bounty programs, and I disagreed pointing to several of the largest and longest lived bug bounty programs, none of which do that, and your response is pointing out that one particular platform does it?

Even among 3rd party platforms, of which there are several bigs, the NDAs are not a platform requirement, just an option for participating firms.

NDAs are not the norm. Don't mislead people who would otherwise get into this game with non-issues they need not worry over.

[tptacek]

OpenAI's security team commented on the thread themselves that they believe they simply accepted the Bugcrowd defaults. I think you're trying to find a controversy that just isn't here.