Isn't that a pretty standard bug bounty requirement? The idea is that you submit the bug to the company and they fix it before it is disclosed.

It is standard in the sense that it's not uncommon. But about as frequently it's not a requirement. Many companies allow complete or partial vulnerability disclosure once resolution is complete. It's often on a case by case basis and requires approval.

Oh, I thought that was what you meant (until resolution).. didn't realize they block disclosure forever