That's good to know about as a security consultancy.
Whenever we found an issue in software made by a third-party vendor, we already recommend reporting it and offer to do it for them (unpaid time on our part, but it gets both the finder and our company publicity, and when leaving it up to the customer then it might not happen which is also bad for everyone else), but now we can say it's required and not just a recommendation. And if there is patching on the customer's part, we get to check the fix if they give it to us for reporting, which in turn makes them more secure.
For us, the situation doesn't really change, but for the tech industry as a whole I see only upsides (at least of this part) :)