Your leaning feels correct, and more if the listed company deals with health or financial data where personal data and privacy is of utmost importance.
User-impersonation, and unauthorized access would probably leave them open to potential lawa suits and loss of credibility, hence the NDA or more like a gag order.
Non-disclosure even after patch is surely a big red flag.
In the interest of the users and public accountability, it is suggested to publish an incident report, only after notifying the company of sufficient time to patch the vulnerability.
Thanks for the reply — really appreciate it.
The company doesn’t deal with health or financial data, but yeah, user impersonation and access to private messages is still serious enough to expect some level of accountability.
I’m holding off on sharing more details for now since mentioning the domain + the vuln might make it too easy to identify the company.
I’m leaning toward a public write-up after giving them fair notice.
One more thing is that the vulnerability has already been fixed (I reported it 3 weeks ago), so not sure how much leverage that still gives.