If other people are attacking you, should you lay down all your weapons and hope they do the same?
Are people attacking Exodus via TOR? If not, then what ethical justification does it have for involving itself as the NSA's mercenary?
I'm all for self-defense; it's aiding aggression that I find unethical.
I don't think it matters whether we take Exodus or the US Government. I'm not really sure why being a mercenary is so bad? What is the difference if the US Government pays Exodus or hires the people working for Exodus to write exploits directly?
And yes, people are using Tor to fight against the US; certainly hackers and terrorists use Tor. (I don't believe more than a small fraction of Tor users are malicious, but malicious users undoubtedly exist.
Clearly, I'm failing to understand -- what is there about your hypothetical situation that precludes responsible disclosure?
Also, responsible disclosure is sort of tautologically ethical because it does consider context (that's what the "responsible" part means). If you're not sure what kind of disclosure is responsible, then the only ethical option would be to forgo the hacking.
If you have responsibly disclosed every exploit you know about, you are not going to be able to hack into the computer which triggers the bomb. I'm not sure why this isn't obvious. Unless somehow your "responsible disclosure" allows for holding on to exploits until you need them for dire situations, you have no way to stop such a computerized device.
Let's be more concrete here: someone has hooked up a Raspberry Pi to detonate a bomb, which is triggered, say, over Tor. Whoever made this wasn't stupid: it has a heartbeat which will detonate the bomb if it fails, so you can't just jam it or cut off internet access. It has normal motion sensors, etc. You have 1 hour to disable it.
I propose that given the possibility of such a scenario (or scenarios like this; obviously this is an extreme and contrived example to try to prove a point), it is ethical to withhold disclosure of vulnerabilities. In your proposed scenario, the government has "emptied its cyber arsenal". It has nothing it can do to prevent such an attack. I believe it is superior to have the capability to prevent such an attack.
Being forced to choose the lesser of two evils doesn't mean you should become the active accomplice of that evil.
Besides, on a more practical note, you're also failing to consider the rest of the collateral damage. By supporting Exodus's position, you're saying that hypothetically saving the lives of the Iranian scientists is worth hypothetically risking the lives of TOR users worldwide.
Except it isn't that simple.. one side has to win. If the US Government doesn't have people writing exploits, they are losing tools that help them to fight $ENEMY.
It's like saying we shouldn't have fought in Wold War II against Hitler, because war is bad. The Allied forces were the "lesser of two evils"--evil, of course, because war is unethical just like hacking is. Why choose to actively help the lesser of two evils? We should have remained neutral.
We can ignore any historical facts for the sake of hypothetical arguments and say Hitler would have succeeded with 100% certainty without US support. In this sort of scenario are you trying to say that the ethical thing to do is nothing? It really sounds like we have some huge differences of opinion in all of this, so this probably isn't going anywhere.