[AsParallel]

The problem is the legal equation isn't that simple, and is subjective by merit of the extent to which it is subjected to persistent arbitration. This just leads to muddied waters and attempts to favorably contextualize the discussion in favor of one actor over the other. Black and white reasoning isn't a luxury afforded those who find themselves entangled in these situations. Some examples:

Does it stand to reason that attempting with purpose to discover exploitable flaws in and of itself makes you a bad actor? ( we've sentenced minors, academics and "white hats" using this argument )

What if someone wrote software that had a legitimate use, but made use of an undisclosed flaw that is then sold to many consumers and reverse engineered, revealing the flaw to larger constituents? What if bad actors merely used a tool out of its original context to exploit a side effect? Does this constitute intent? ( this was tried and the individual in question was jailed )

If an open source project collects money from a bad actor unknowingly and then discloses through a PR or official release the existence of a flaw previously unknown, should they be culpable? ( waiting to see this one play out, hasn't yet, but I have no doubt it will. Was kind of expecting it as a result event-stream.js )

This all just speaks to the concept of subjectivity vs objectivity in the litigation of this concept. The point where it is subjective, rather than objective is the point where it becomes an ethical discussion, and is therefor subject to the principle of fallibility and the human uncertainty principle. tl;dr, if you can't strip motive, investment and bias from the argument, it can't be objective by definition.

[Iv]

I think all your examples would work fairly well with my initial proposal: if you are going to disclose a flaw, either do it publicly or reserve it to the actor who may be able to correct it. Only these two courses of actions would provide a legal shield. Revealing a flaw or an exploit to another actor would engage your responsibility if this actor behaved criminally. I don't know the English legal term, facilitator? Accomplice? That's how we charge people who, for instance, provide otherwise legal help to people they know are terrorists or criminals.

"Does it stand to reason that attempting with purpose to discover exploitable flaws in and of itself makes you a bad actor?"

No. I think a lot of past litigation of such case were really misguided.

"What if someone wrote software that had a legitimate use, but made use of an undisclosed flaw that is then sold to many consumers and reverse engineered, revealing the flaw to larger constituents?"

Illegitimate unless the flaw was previously disclosed in a responsible way to the constructor (which basically means give them time to solve the issue).

"What if bad actors merely used a tool out of its original context to exploit a side effect?"

If the tool had an exploit built-in, the author's responsibility is engaged, not otherwise.

"If an open source project collects money from a bad actor unknowingly and then discloses through a PR or official release the existence of a flaw previously unknown, should they be culpable?"

Of course not, but we live in a stupid enough universe for such a thing to be liable.