[AnthonyMouse]

It doesn't matter whether offense is stronger than defense because this is not a mutually assured destruction scenario. Having offensive capabilities doesn't prevent an attack because we already have offensive capabilities -- sanctions and missiles. The problem isn't an inability to strike back, it's attribution. A hoard of vulnerabilities does nothing to solve that.

What governments actually use vulnerabilities for isn't deterrence, it's espionage and sabotage. But those goals can't justify knowingly leaving critical infrastructure vulnerable to criminals and terrorists.

> I think you have to accept that hoarding vulns is the international reality and difficult to change.

It doesn't really matter whether other people are doing it. The solution is to keep the espionage agencies on the hunt for vulnerabilities but require them to be disclosed within e.g. four weeks.

If it really is so easy for entities with state-level resources to find vulnerabilities then they'll be able to find a new one every month and continue to use it for their espionage, and at least the low-hanging fruit will be eliminated which makes it harder for criminals without state-level resources.

If there is not an endless supply of vulnerabilities then soon enough they'll have reported every existing vulnerability in commonly used software, they'll all be patched and there will be nothing for other states to hoard regardless of whether they have the same policy or not.