[big_surprise]

No. By my logic, you are better off not doing vulnerability research in your spare time if you have to worry about the legal ramifications of your actions.

The ethical conundrums are unavoidable, and those calculations are indeed difficult.

The legal consequences are artifice, and by agreeing to those (while ignoring externalities and not going public), you are likely putting others at risk.

[tptacek]

Forget the legal consequences. Reporting vulnerabilities is work. By your logic, by doing some work in my spare time, I am morally obligated to do more work for others. I'm better off just picking something else to work on.

[big_surprise]

Perhaps so... As long as you recognize that your work is inherently dual-use (it has effects beyond your initial intent), and you don't intentionally hide that fact from yourself or others, then I have no problem with what you do.

[tptacek]

I feel like you have unusually strong feelings about this whose implications you might not have fully thought through.

[big_surprise]

I feel the same about you.