Yes, FireEye and Adobe have done it (once each as far as I know). Given the size of the security industry and the number of vulns disclosed over the last two decades, that’s a damn low number of lawsuits. If someone has a list of lawsuits filed in this space (which would be public record), I’d love for it to be produced. It might behoove the EFF to do so to strengthen their arguments.
It just isn’t something you hear about anecdotally, either amongst security people or when you go to Black Hat, DEFCON, RSA, etc. It is mostly a bullshit concern if you’re dealing with a tech company.
I, personally, receive disclosures from third parties for a major browser as my day job. I spent many many years working for one of the other major browsers as well. I talk with a lot of people at other companies and who are security researchers because it is the space I work in and part of my work. By and large, people aren’t walking around worried about being sued by a company.
Cory seems to be conflating different people and a bunch of “this might happen” as a solid given espoused by some person or persons to raise awareness of what is largely a hypothetical issue (and to beat the drum of one of his justifications for his opposition to the EME standard at the W3C).
Google actually has a very good track record overall and is one of the best in the industry for working with security researchers (no, I don’t work for them).
