If you sell something to someone and they do computer crimes, you're going to have to prove that you couldn't've known that they're a computer crimer.
It's the same thing with selling general offensive security tools. You have to proactively make it clear that it's for testing and not criminal use. Otherwise, cops are going to assume you're complicit and make things shitty.
That would be even worse than our already bad system.
The system is already pretty bad because vendors underinvest in security, and then to fix it, researchers have to volunteer their time to investigate with no guarantee of payment. If the vendor could force researchers to hand over findings for free, nobody would want to do security research except hobbyists having fun. They're basically signing up for hours of tedious forced labor to explain vulnerabilities to the vendor.
I wish there was legislation that allowed the government to fine vendors for security vulnerabilities like this where the amount scales based on how much user data they leaked. And it could function like other whistleblower systems where a researcher who spots a leak can report it to the government and collect 50%. That way, if the vendor says, "We're not paying you," the researcher can turn around and collect the money from fines.
How is it illegal? It’s information available to the public.
If you sell something to someone and they do computer crimes, you're going to have to prove that you couldn't've known that they're a computer crimer.
It's the same thing with selling general offensive security tools. You have to proactively make it clear that it's for testing and not criminal use. Otherwise, cops are going to assume you're complicit and make things shitty.
Isn't it also illegal to withhold knowledge of a vulnerability for payment? It sounds like it should fall under some variety of blackmail.
That would be even worse than our already bad system.
The system is already pretty bad because vendors underinvest in security, and then to fix it, researchers have to volunteer their time to investigate with no guarantee of payment. If the vendor could force researchers to hand over findings for free, nobody would want to do security research except hobbyists having fun. They're basically signing up for hours of tedious forced labor to explain vulnerabilities to the vendor.
I wish there was legislation that allowed the government to fine vendors for security vulnerabilities like this where the amount scales based on how much user data they leaked. And it could function like other whistleblower systems where a researcher who spots a leak can report it to the government and collect 50%. That way, if the vendor says, "We're not paying you," the researcher can turn around and collect the money from fines.
Vendors routinely get researchers arrested for breaking into their computers as well.