[tsimionescu]

Why is it unjust to prosecute people who harm a business and unsuspecting customers of that business by disclosing 0-day vulnerabilities publicly without giving them even a chance to patch?

The poster here has no proof that the vulnerability was already being exploited. For all we know, as obvious as this was, no one else had yet thought to look.

This is like going around people's house doors, testing to see if they are unlocked, and if they are, posting a big sign saying "unlocked door" on each one. It's obviously an anti-social act masquerading as benevolent, and it should be punished. Of course, the company running such highly vulnerable code should also be punished, but that doesn't absolve anyone.

[komali2]

Your metaphor is a big stretch. We're talking about a business and the expectations we should have for businesses.

Noticing an overhead pipe at McDonald's is dripping onto the griddle and pointing it out to people isn't harming the business, it's pointing out the business' gross negligence.

[tsimionescu]

I don't agree with your alternate metaphor. In your example, publicly pointing out the leaking pipe can't cause any damage to the existing clients. In this case, publicly pointing out an exploitable vulnerability that gives access to personal information does bring extra harm to the customers.

If you want, a more apt comparison might be going around a business park and sticking big signs on every unlocked archive door you find. The companies not properly locking the doors are at fault, and customer data may already have leaked; but, you are virtually guaranteeing that even more customer data will leak by doing this. It should absolutely be illegal.