The CFAA makes it illegal to exceed authorized access to any 'protected computer' (in practice, basically any computer).
The exploit developer avoids violating the CFAA by developing the exploit on their own computer... because you are authorized to access your own computer.
The government doesn't violate the CFAA when using exploits because government agencies are exempt under 18 USC § 1030 (f)
Off the cuff, I'd guess that any official documentation would be around the sale of "research" and not "an exploit". Depending how classy the buyer was about it, there might or might not be an offline wink and nudge.
Not a lawyer, do pay a lot of attention to this area for professional reasons. Answer: it doesn't, unless you (1) found the vulnerability through methods that themselves violate CFAA (for instance, by breaking into a remote computer), or (2) sold information about the vulnerability knowing that it would be used for a particular set of crimes, in which case you can get accomplice liability for those crimes.
CFAA doesn't have anything to say about vulnerability research itself. You'd be just as liable as an accomplice if you knowingly and deliberately provided free wi-fi to a hacker.
The CFAA makes it illegal to exceed authorized access to any 'protected computer' (in practice, basically any computer).
The exploit developer avoids violating the CFAA by developing the exploit on their own computer... because you are authorized to access your own computer.
The government doesn't violate the CFAA when using exploits because government agencies are exempt under 18 USC § 1030 (f)
Off the cuff, I'd guess that any official documentation would be around the sale of "research" and not "an exploit". Depending how classy the buyer was about it, there might or might not be an offline wink and nudge.
Selling exploits doesn't inherently violate the CFAA.
Not a lawyer, do pay a lot of attention to this area for professional reasons. Answer: it doesn't, unless you (1) found the vulnerability through methods that themselves violate CFAA (for instance, by breaking into a remote computer), or (2) sold information about the vulnerability knowing that it would be used for a particular set of crimes, in which case you can get accomplice liability for those crimes.
CFAA doesn't have anything to say about vulnerability research itself. You'd be just as liable as an accomplice if you knowingly and deliberately provided free wi-fi to a hacker.