As far as I know, this is the first effort to tidy up and standardize the legalities around bug bounty programs. Security research is already legally fraught, particularly in the US. Bug bounty programs that pay meaningful amounts are clearly a great step, but there have already been multiple instances of security researchers attempting to do the right thing, and being thwarted by the process – more, and standardized legal protection should help.
Are there any bug bounty programs in the firmware and/or hardware domain directly?
Apple has one that covers their (low SKU) product line, but things get complicated when a shipping system has components from so many distinct providers and a manufacturer makes so many SKUs. Seems like the buck should still stop at the integrated system manufacturer – eg: Dell, Lenovo, HP, Supermicro, etc, and at the component manufacturer for components that can be replaced – HDDs, SSDs, discrete PCIe devices.