Your leaning feels correct, and more if the listed company deals with health or financial data where personal data and privacy is of utmost importance.
User-impersonation, and unauthorized access would probably leave them open to potential lawa suits and loss of credibility, hence the NDA or more like a gag order.
Non-disclosure even after patch is surely a big red flag.
In the interest of the users and public accountability, it is suggested to publish an incident report, only after notifying the company of sufficient time to patch the vulnerability.
User-impersonation, and unauthorized access would probably leave them open to potential lawa suits and loss of credibility, hence the NDA or more like a gag order.
Non-disclosure even after patch is surely a big red flag.
In the interest of the users and public accountability, it is suggested to publish an incident report, only after notifying the company of sufficient time to patch the vulnerability.