Every single root escalation bug could potentially leak huge amounts of data. And the definition of a successful exploit is one where you don't find out for a long time, or perhaps, not ever.
So does that mean that every single time you patch a remote-exploitable hole, in your web server, et.al, you have to file a report with every single government saying that there might have been a leak of all our data from all of our users, but we're not sure? It will be like the California proposition 65 warning where there will be so many "could be potentially harmful to a fetus" warnings that they all fade into the noise.
Just think of all of the CVE's reported by Microsoft, Red hat, etc. Anyone of those _could_ be a vulnerability leading to the loss of user data, and there is no guarantees that you would be able to detect it via logs.
If they potentially expose sensitive data, yes. Again, if an organization is certain that it hasn't then I'd say no. Sure, certain is a high bar but there's absolutely no way for people to make informed decisions and/or mitigate issues otherwise.
That's going to be on the order of thousands or tens of thousands of bugs per year for each large company. It also discourages businesses from performing pentests since finding anything leads to shitty press. And this is largely useless information since it gives no info about unknown bugs. This makes it seem like small companies with no security apparatus are actually safer because all of their bugs remain unknown.
I'm not advocating any external enforcement action. Merely taking the position that if there's an internal conversation which goes along the lines of 'that vulnerability could have been really bad but based on what information we have it doesn't look like it's been exploited... should we tell anyone?' then the answer should be yes, it should be disclosed. That sounds like pretty much the conversation that happened inside Google only they decided 'no, better not... we might get in trouble'. That's a red flag right there.
