Google’s top security teams unilaterally shut down a counterterrorism operation(Technology Review)

It's absolutely unreasonable to expect any security researcher to notify an attacker that their exploit will stop working.

Lives may be at stake either way. Any vulnerability can be used by any attacker. Security researchers should not be in the business of leaving vulnerabilities unfixed, or evaluating how much they agree with the attackers exploiting them. Fix them all, and let attackers find out via the public announcements along with everyone else.

When exploitable vulnerabilities exist in Google's products, lives are already at stake. Removing those vulnerabilities is absolutely the right thing to do regardless of who's exploiting them at a specific point in time - there's no way to know whether someone else will be exploiting them 5 minutes from now.

An intelligence agency which keeps vulnerabilities secret is putting the security of its own infrastructure, police, army government, power plants, hospitals and lives of its people at stake.

It's wholly irresponsible to do that in the first place, because of course, not just criminals (#wannacry?), but terrorists could use these vulnerabilities as well.

The "counterterrorism"-argument is a straw man, this isn't about that, it's about surveillance and control on the side of intelligence agencies, directly harming the security of the people they're supposed to protect.

The "agent's life at risk" scenario raises other questions; particularly intelligence officers being honest with agents about the risks involved.

0-days have a tenuous existence. Sure there are 0-day projects, but 0-days can also close due to software source code analysis, or even by adding a new feature to the software leading to an alteration of the code. The motivation for the change doesn't matter: if the action is deliberate or incidental doesn't matter -- in the "agents at risk" scenario then when the change happens then the agent is killed.

Intelligence agencies which claim "agents life at risk" when discussing 0-day exploits need to explain how they intend to continue to recruit agents when they so clearly value the lives of their agents so little as to risk an agent's life with each software update.

I modestly submit that if the attackers wanted a notification that the bug was about to be fixed, they should have included their contact details in the exploit.

:)