Surely you can see there's some difference in magnitude here, right? Which one does it more?

And even if the end result has some overlap, there's a bit of an ethical difference between:

* developing an exploit that you keep quiet

* preventing others from talking about exploits they discover

Surely you can see that they're all bad actors, undermining the software and infrastructure that we all use, putting our systems and our data at risk through their grubby actions and even their grubby inaction, right?

I don't care which bunch of spies does it more. I don't want spies doing it at all.

> and even their grubby inaction, right?

Yah, I guess by not searching for new exploits tonight for public disclosure, I'm putting the entire software world marginally more at risk by "grubby inaction."

> I don't care which bunch of spies does it more. I don't want spies doing it at all.

I care: some bad actors in my government vs. forcing an entire massive economy to participate in bad actions will have massively different magnitudes of effect.

There's always going to be bad actors, but preventing 15% of the world's population from being good actors surely is a pretty significant thing.

Ethically, it’s not the same.

There's nothing ethical about leaving your nation's infrastructure vulnerable to attack just because you want to indulge in the boy's own adventure of attacking the infrastructure of other nations.

It's not ethical. It's not professional. It's school boy stuff.

Whoa, I think we're on the same team. I was saying it's not ethical to tell only your gov't about the exploit, and not your customers.