Exploits are sold and used as weapons, sometimes even weapons of war. Which in many places is criminal, except under very restrictive circumstances.
replyAlso, all kinds of aiding and abetting.
What does that have to do with this comment thread?
replyCopying from the comment I was replying to:
> But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal
If it's not a crime I see no reason not to work with partner nations to build responsible disclosure into a legal framework everywhere because it pretty obviously should be.
replyIf you wanted to somehow make coordinated disclosure into a legal framework, that would be an interesting and complex project.
replyBut it’s not the law anywhere I’m aware of today, and I’d not support it becoming a law.
This is kind of a thing already in the EU. Under NIS 2, vulnerabilities should be notified to a CSIRT as well as upstream, and the CSIRT shall identify downstream vendors and negotiate a disclosure timeline. I don't know whether they're any good at it or not, though.
replyYou know companies are allowed to pay people to find vulns, and pay people bug bounties?
replyInstead of that, you’d rather make the law compel free individuals to limit their speech, or to hand over their work to big companies privately, so big companies can save money?
That doesn’t sound like a nice future, if it’s even enforceable at all.