And, because you think the thank-you Facebook offered was too low, you wouldn't blame him for selling vulnerabilities to criminals? Really? Selling vulnerabilities to criminals is itself a crime.
Black hat markets, presumably. At least that is the point being made by commenters here. Granted, selling the vulnerability is illegal and immoral, but that doesn't stop it from happening. The 'market rate' for vulnerabilities seems to be higher than what Facebook and Google are paying out.
This makes sense economically to me. In order for it to be worthwhile for a vulnerability discoverer to sell the exploit, the reward should overcome the cost. In this case, the cost is the probability of getting caught multiplied by the severity of the punishment.
Really? That's exactly what you're doing with Facebook - selling a vulnerability to them, which they then pay you for. So, disclosing to some third party ought also to be fine. The morality or otherwise is up to you though, I guess...
EDIT - I just read @tptacek's reply below. I guess that selling to known criminals, with the knowledge they would use the exploit to commit a crime, _is_ going to be illegal most places.
'daeken seems to disagree with you. Is he correct, or is the "to [proven] criminals" in your statement important?
Selling vulnerabilities to people you know to be criminals, or to people a prosecutor can convince a jury a reasonable person would have known to be criminal, probably is a crime.
Long before you disclosed the vulnerability in Onity hotel locks to the public, the startup you had co-founded "licensed" the same flaw to Lockmasters Security Institute, a company that trains law enforcement agencies, special ops, and intelligence agencies in covert entry techniques.
You gave LSI's government customers a pretty big head start before you bothered to disclose that flaw to the general public.
daeken's work on hotel locks got a lot of press, but the fact that he had two years earlier sold that info to a company for "law enforcement purposes" hasn't gotten nearly the press attention it deserves.
Martin Muench and Chaouki Bekrar have openly embraced what they do. As much as I dislike the path they follow, I have to at least respect them for being up front about the business they're in.
If you're going to help governments covertly break into people's homes, computers, and smartphones, you should wear it with pride.
With your response you make the problem even worse, by pointing out other people who made decisions that you, Chris Soghoian, don't approve of but who you "at least respect".
I also think it's a little laughable to suggest that Cody in any way enabled the USG to break into hotel rooms, as if that was a capability they were just champing at the bit to buy from someone like Cody rather than something they've been able to trivially accomplish for the last 200 years.
I've worked with Cody in the past, consider him a friend (despite his different stance on vulnerability market), and have a problem with comments that chime in on threads for the sole purpose of trying to take him down a peg.
In 2010, we (the startup I was running with friends at the time, UPM) decided to license the opening technology to a locksmithing company for law enforcement purposes.
If it is "laughable to suggest that Cody in any way enabled the USG to break into hotel rooms", then why would he describe the sale as "for law enforcement purposes"?