Think about it: You found a way of breaking into my house (would not be too hard though but let's just use this as an example) and you are selling this knowledge to intruders. Is this legal? Is this ethical? I mean, my home has vulnerabilities and if you discover a easy way to get in. Are you really allowed to sell that knowledge?
If we bring it to the next level: You have the knowledge of how to break into a specific branch of a bank and get to their money. May you sell it or would you not be part of the robbery that way?
In my personal opinion, these questions are easy to answer, aren't they? Most of us will for answer with a "no" to all these questions (where we probably could argue about legality but not about ethics). So, why do we have to have this kind of discussions with software vulnerabilities? The argument I hear often is that it takes a lot of work to find those vulnerabilities - well, why do you have to find a way to get into this bank, then?
Articles like the following are scaring for me: http://www.iht.com/articles/2007/01/29/business/bugs.php
Let's rather jointly work to get the Internet a safer place instead of making money of vulnerabilities. Often, this is linked to Microsoft - the problem is much, much bigger than "just" Microsoft. Let's come back to the statement with the bank above - now n the Cyberspave :-(
I would love to get your comments on this
Greetings from Amman