Most corporate bounty programs are going to include an NDA and following their release schedule. No corporate legal department is going to sign off on a bounty program that would both pay third parties for bugs and allow outside researchers to unilaterally decide when to disclose the bug to a wider audience.

They include an NDA, but a time-limited one - i.e. they require the researcher to give them a period of time (usually 90 days or more) to create, test, and deploy a fix, after which time the researcher can publish. Zoom's NDA was a permanent gag order, which puts no pressure on the company to actually fix the issue and doesn't alert laggard users that they need to update their software.

They weren't going to fix it without the bug being made public.

This seems par for the course for their support. I tried to report that their signup form automatically, silently deletes spaces from your password (!?). After a painful process of trying to explain the issue, it was summarily ignored.

They didn't really seem to understand that it was a bug.

Is noisily deleting passwords acceptable in your eyes?

(i.e. "Your password contains spaces, which is disallowed by our policy. Please try again.")

It's annoying in either case. Passwords should be any string I want! You're just going to hash it anyway.

I found it particularly egregious that Zoom's form auto-trims any spaces from the end of the string - so they are deleted as you type with no feedback (unless you happen to be watching the dots flicker).

> You're just going to hash it anyway

Wow, you're optimistic :)

I remember when I started out with SQL databases, someone managed to hack the site using SQL injects. So I made a SQL sanitation function, but soon enough someone complained that they couln't have escape characters in their password. =) Now a days I always use a library that parameterize all SQL variables to avoid SQL injections.

Does it matter? I mean is there another way of entering this string which preserves the spaces, or is deleting them just part of the hash function?

Yes, you can paste a string with internal spaces. I guess you can also disable JS and type whatever you want. Passwords with spaces work absolutely fine, too - it's just the signup form that is broken.

They probably had to many people accidentally copy-pasting strings with spaces into the form. Like the good old "double click to select a word" also picking up the space after the word.

The reason I can empathize with your complain is it being highly unlikely they are able to keep those restrictions consistent across all password forms & login methods.