They include an NDA, but a time-limited one - i.e. they require the researcher to give them a period of time (usually 90 days or more) to create, test, and deploy a fix, after which time the researcher can publish. Zoom's NDA was a permanent gag order, which puts no pressure on the company to actually fix the issue and doesn't alert laggard users that they need to update their software.