[j_baker]

I'm curious what we could change legally to make this less an issue. There's a clear conflict of interest between doing a public good by disclosing a vulnerability and not wanting to risk (at worst) the FBI coming after you or (at best) losing clients. I would certainly consider it unethical to know of a vulnerability and not disclose that information publicly, but there are so many hurdles to doing so that I don't blame some people (especially those who are less established) for not doing so.

It almost makes me feel that there should be a law requiring disclosure of vulnerabilities.

[tptacek]

The FBI is not going to come after you for publishing a DOS vulnerability in a mobile app; in fact, you could find and publish remote code execution in an extremely popular application (say Instagram or Twitter) without even telling the vendor and still not be in any trouble. People do it all the time.

Most of the stories you hear about people getting in actual trouble over vulnerability research involve web vulnerabilities. You cannot hack someone else's web site to make a point, even if the underlying point is unimpeachable ("this application is insecure and people should know about it").