In this case what are the firms who pay these rates doing with the information?
Defensive work (e.g. IPS vendors) well after they've got their early day protection they can just sell on to the vendor.
Offensive (e.g. "cyberweapons" ugh I had that term). well that's the point I'm making that whole industry is bad for defensive security as it involves keeping vulns secret as long as possible, so they can be used by them.
Gov's have to make a choice whether that's an industry they want to encourage, be neutral to, or discourage.
But given this line of thinking is one you'd disagree with, what option for addressing the problem do you prefer?
What difference does it make what they do with it? Stipulate for now that they use them to hack Russian and Chinese computers. That is, stipulate that there is a good public policy reason to regulate that kind of work. How would you accomplish that regulation? What, exactly, would you ban?
If you can't articulate a reasonable and effective regulation that would control vulnerability research, regulation will do more harm than good: it will wipe out beneficial research and drive talent towards malicious research.
It's not on me to come up with a way to "address" the "problem". Doing nothing seems like a more credible response than trying to outlaw specific kinds of computer programming.
Defensive work (e.g. IPS vendors) well after they've got their early day protection they can just sell on to the vendor.
Offensive (e.g. "cyberweapons" ugh I had that term). well that's the point I'm making that whole industry is bad for defensive security as it involves keeping vulns secret as long as possible, so they can be used by them.
Gov's have to make a choice whether that's an industry they want to encourage, be neutral to, or discourage.
But given this line of thinking is one you'd disagree with, what option for addressing the problem do you prefer?