http://blogs.technet.com/rhalbheer/archive/2008/05/18/selling-vulnerabilities-and-ethics.aspxShoaib just blogged on Hacking &amp; Security Community - Ethical or Unethical? . To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things. I blogged on this theme severalen-USCommunityServer 2.1 SP1 (Build: 61025.2)http://blogs.technet.com/rhalbheer/archive/2008/05/18/selling-vulnerabilities-and-ethics.aspx#3057153Mon, 19 May 2008 07:13:05 GMTd5e57398-b9ef-4490-9955-07cbb4e4a80d:3057153Shoaib Yousuf<p>Hi Roger,</p> <p>As you mentioned - WabiSabiLabi tells us that they will not sell to the bad guys and that they check the identity.</p> <p>We all know for the matter of fact - it is just take few mins to create identity. We need to keep in mind that bad guys can do anything dirty to cause any harm. They don't care for ethical and unethical stuff but we do.</p> <p>If any security researcher finds any vulnerability - i think he should notify the vendor first as you said.</p> <p>Cheers</p> <p>Shoaib</p>