| I think all your examples would work fairly well with my initial proposal: if you are going to disclose a flaw, either do it publicly or reserve it to the actor who may be able to correct it. Only these two courses of actions would provide a legal shield. Revealing a flaw or an exploit to another actor would engage your responsibility if this actor behaved criminally. I don't know the English legal term, facilitator? Accomplice? That's how we charge people who, for instance, provide otherwise legal help to people they know are terrorists or criminals. "Does it stand to reason that attempting with purpose to discover exploitable flaws in and of itself makes you a bad actor?" No. I think a lot of past litigation of such case were really misguided. "What if someone wrote software that had a legitimate use, but made use of an undisclosed flaw that is then sold to many consumers and reverse engineered, revealing the flaw to larger constituents?" Illegitimate unless the flaw was previously disclosed in a responsible way to the constructor (which basically means give them time to solve the issue). "What if bad actors merely used a tool out of its original context to exploit a side effect?" If the tool had an exploit built-in, the author's responsibility is engaged, not otherwise. "If an open source project collects money from a bad actor unknowingly and then discloses through a PR or official release the existence of a flaw previously unknown, should they be culpable?" Of course not, but we live in a stupid enough universe for such a thing to be liable. |