irresponsible non-disclosure
The whole point of responsible disclosure is supposed to be that there's a compromise. The vulnerability isn't disclosed to the whole world until the vendor has had a reasonable opportunity to protect its customers, if possible. In exchange, the details get published openly once that's happened, both so that the world can judge the vendor and everyone (including other vendors who might have similar bugs!) can learn from it. When done this way, everyone benefits: the vendor gets to protect its customers, the customers get protection, the researchers get to publish and be publicly acknowledged, and everyone has an opportunity to learn. Whether or not this is your preferred system, it does have some merit.
Signing an NDA is not responsible disclosure; it is, plainly, non-disclosure. Vendors who employ contractors in this manner need to stop calling this responsible disclosure, because it isn't, and the rest of us need to stop going along with the lie and allowing contractors to promote themselves in this manner. If this is what vendors think responsible disclosure is going to be, then full disclosure is the only answer. The party that welches on a compromise agreement can expect to lose the benefits thereof.