Is it ethical to, having enough knowledge to suspect there's a vulnerability, to withhold that knowledge from those in a position to fix it? You're keeping many other innocent people at risk with our silence. Software developers make mistakes all the time. There are lots of other people in the world skilled at finding those mistakes. Some of these will use those to attempt to profit, while others want to protect innocent people. It seems strange that you attempt to discount the work of all of the people in that second category. These are the guys that keep the number of 0days down. If they win, you get a monthly security patch from your vendor. If they lose, you get services taken down for weeks due to break-ins and lots of ugly work arounds.