This is in response to a great thread started by @cyb3rops.
The question is, should testers release tools and bypass techniques to the public?

Once there was a time when vendors threatened to sue security researchers who found bypass techniques.

In fact, even talking negatively would invite potential legal action for violation of NDAs. Here is the example of NSS Vrs. CrowdStrike:

https://law.justia.com/cases/federal/district-courts/delaware/dedce/1:2017cv00146/61373/93/

From 2018.

Before this, there were a large number of security professionals in fear of vendors threatening to sue them.

So, we released 1 bypass per day against @cylanceinc over a week: https://www.blackhillsinfosec.com/tag/cylance/ 

We had to show the community was not afraid. Long story short, this led to a great dialogue with us and @cylanceinc and they are not the same company they were. They are better. Much better. We are better too.

In fact, the whole EDR/endpoint space is getting better very quickly. And, I attribute this to the efforts of those teams, and the work of security researchers finding and sharing these issues.

It could be argued that the testing community should just share these issues with the vendors directly to have them fixed. This is a great idea! If the vendors actually addressed or fixed issues if they are shared this way.

Often, the vendors' main concern is not the issue or bypass, it is the publicity. When you find an issue/0-day/bypass and try to share it with a vendor, many will just have you sign an NDA and walk away fixing nothing.

We fought for years for this to get better. Back in 2012 @robtlee, @LaNMaSteR53 and I worked to update some SANS classes. Tim, bypassed McAfee in about 5 minutes. McAfee freaked and we had an emergency meeting with them.

They were not interested at all in fixing the issues. They were far more concerned with the bad publicity. There were also some veiled legal threats.

https://www.sans.org/blog/is-anti-virus-really-dead-a-real-world-simulation-created-for-forensic-data-yields-surprising-results/

But wait! There is more! Back in 2010 this exact same conversation started with the AV community:

http://anti-virus-rants.blogspot.com/2010/03/open-letter-to-metasploit-community.html

But wait! There is more!

For the past few years we @BHinfoSecurity have been doing a series on endpoint bypass techniques https://www.blackhillsinfosec.com/tag/sacred-cash-cow-tipping/

The assertion that we would be safer if the testing community did not share techniques/tools is flawed. If the offensive community don't release these issues, the vendors do not get better. There is a lot of history to back this up.

The assertion that the bad actors would attack less if we did not release tools is also flawed. Attackers gona attack. It is just what they do.

You do not want the offensive community to go back into the dark. You do not want us hoarding techniques and tools. You do not want us afraid of legal repercussions of our research.

We do not want to go back to the defensive community hating us for our work. We do not want to get blamed for every attack. We don't want companies to get hacked. We want our jobs to get harder.

We all need to work together. Any weakness is a weakness that needs to be fixed, let's work together to fix things.

As I said, things are only fragile till they break.

Or, as @k8em0 says "Don't hate the researcher, hate the vuln."