I am an independent contractor in the embedded systems domain. My contract is under German jurisdiction, my direct client provides a commercial software platform, and the end-client is a large enterprise.

The Situation: The stack involves several open-source components. While working with these integrations and later reproducing issues independently on my private time, I’ve observed several non-security bugs and usability "sharp edges." As is common in this sector, tooling choices are rarely discussed publicly.

The Goal: I want to address these issues via an "Upstream-First" approach. I plan to report the bugs/usability issues by writing technical blog posts detailing the reasoning. I intend to use a "Clean Room" approach: creating independent test cases and reproductions that never use client code, stack traces, or reference any specific client use-case.

The Dilemma: Legally, I could seek formal approval. However, in my experience, asking these questions often leads to "We need to check with legal," which results in a black hole where I never receive a response, effectively killing the initiative.

Ethically, even though I wrote independent test cases in my own time, the client might feel that since I found the issues because of the time i spent with the open source project, they "own" the discovery. I'm reluctant to ask because it might trigger a refusal from the end-customer's legal team just to be safe.

The Contractual Concern: My contract contains a standard German Confidentiality clause: "The Contractor shall be obligated to maintain secrecy about all information that becomes known to it in connection with its activities for the Client..."

My Questions:

Scope of Secrecy: Since these are defects in third-party public software (not proprietary secrets), does fixing them upstream constitute "information known in connection with activities for the client"?

The "Clean Room" Defense: Is reproducing a bug in a vacuum (completely outside the client’s environment) sufficient to decouple the information from the client's business?

Risk vs. Reward: Is it reasonable to proceed with upstream contributions without explicit prior approval if no client context is disclosed?

I'd prefer to share credit with my client, but I want to avoid the bureaucratic dead-end by asking questions on this topic. These bugs have been in place for several years and i have seen no upstream efforts so far.