[sqeaky]

A person can do research on a salary. Demanding money because you found a 0-day in their software is scarily similar to blackmail.

There is plenty of room between blackmail and research. A professional researcher can draw a paycheck and release exploits as found.

[tptacek]

Doing work on your own time, with your own materials, and expecting to be paid for your work product is "scarily similar to blackmail"? Could you go into that a little bit more?

Exactly how are these "professional researchers" generating their paychecks?

(NB: I was one of those "professional researchers".)

[sqeaky]

Once a researcher has found an issue, demanding money after the is similar to blackmail.

Agreeing on money up front seems like a reasonable way, I also see no problem with bounty programs or even asking for more from bounty programs. Withholding a bug until a bounty is raised is were I would draw the line at blackmail.

[tptacek]

You haven't explained how it's anything at all like blackmail. Say I'm the researcher and you're the vendor. I'm offering to sell the product of my own work. You're free not to buy it from me. But you are in no way entitled to my work product!

[statictype]

The sole value of your "product" is to actively harm the vendor's product. It doesn't provide any other value (unless you want to claim that it can be sold for educational purpose).

[zpharer]

Couldn't that be compared to, say, selling protective sportswear. That is also selling protection from harm. Now if the researcher threatens to auction off the exploit...

[sqeaky]

This is like the exact opposite. It would be more selling "not punches" as long as you buy I will show you all the places I could have punched you. You can guess what I do if you don't pay the known hacker/puncher.

[tptacek]

So don't buy it!