Exploits are sold and used as weapons, sometimes even weapons of war. Which in many places is criminal, except under very restrictive circumstances.

Also, all kinds of aiding and abetting.

What does that have to do with this comment thread?

Copying from the comment I was replying to:

> But publishing a working exploit together with the disclosure before patches are available is really really irresponsible, maybe even criminal

If you wanted to somehow make coordinated disclosure into a legal framework, that would be an interesting and complex project.

But it’s not the law anywhere I’m aware of today, and I’d not support it becoming a law.

This is kind of a thing already in the EU. Under NIS 2, vulnerabilities should be notified to a CSIRT as well as upstream, and the CSIRT shall identify downstream vendors and negotiate a disclosure timeline. I don't know whether they're any good at it or not, though.

You know companies are allowed to pay people to find vulns, and pay people bug bounties?

Instead of that, you’d rather make the law compel free individuals to limit their speech, or to hand over their work to big companies privately, so big companies can save money?

That doesn’t sound like a nice future, if it’s even enforceable at all.