[big_surprise]

Then you misunderstood your own logical conclusion...

You said (and I quote):

  Can't I just flip this around on you and say
  you have an ethical obligation to spend some
  of your time looking for vulnerabilities?

No. No, you can't. Unless you could convince me that my Dwarf Fortress skills have a similar magnitude of real-world affect as the vulnerabilities I've discovered on my own and decided to pocket for one reason or another.

[tptacek]

By your logic, I am better off not doing vulnerability research in my spare time --- as is virtually everybody else. How is that a good outcome?

[big_surprise]

No. By my logic, you are better off not doing vulnerability research in your spare time if you have to worry about the legal ramifications of your actions.

The ethical conundrums are unavoidable, and those calculations are indeed difficult.

The legal consequences are artifice, and by agreeing to those (while ignoring externalities and not going public), you are likely putting others at risk.

[tptacek]

Forget the legal consequences. Reporting vulnerabilities is work. By your logic, by doing some work in my spare time, I am morally obligated to do more work for others. I'm better off just picking something else to work on.

[big_surprise]

Perhaps so... As long as you recognize that your work is inherently dual-use (it has effects beyond your initial intent), and you don't intentionally hide that fact from yourself or others, then I have no problem with what you do.

[tptacek]

I feel like you have unusually strong feelings about this whose implications you might not have fully thought through.

[big_surprise]

I feel the same about you.