The "Ledger Bounty Program Reward Agreement" appears to have a clause that may allow Ledger to prevent a researcher from publish their own report.
>"You have complied and will continue to comply with the responsible disclosure process described in the Ledger Bounty Program which includes your agreement (a) not to disclose the security related bug to anyone without Ledger’s prior written consent," - [0]
I'm not a lawyer so I could be reading this wrong or maybe they never intended to enforce that clause.
https://www.ledger.fr/2018/03/20/firmware-1-4-deep-dive-secu...
> We would like to congratulate the three security researchers who found these bounties.
> Saleem Rashid – MCU fooling
> We fully appreciate their contribution, and they certainly deserve their rewards.
> We have asked each security researcher to sign our Ledger Bounty Program Reward Agreement, that you can review as part of our transparency process
> (this document doesn’t prevent the researcher to publish their own reports).