What magic are you using to predict that this communication tool is never be used by someone in "imminent physical danger"?
Depending on how this exploit works, a simple denial of service when someone needs to call for emergency services may indeed represent an "imminent physical danger". People rely heavily on their phones, both for connectivity and to store important information. As this reliance increases in the future, the probability of a phone being part of a life threatening situation will approach one.
I didn't imply that it's inconceivable that the vulnerability eventually leads to danger. The point is that the safety issues at a garage directly lead to harm, while the safety issues with a phone don't. (Note that the garage doesn't require anyone to actively exploit it to harm people.) Also, there's no way for the garage collapsing to help people, while selling an exploit to the FBI can conceivably help people (not difficult to imagine scenarios).
> I didn't imply that it's inconceivable that the vulnerability eventually leads to danger. The point is that the safety issues at a garage directly lead to harm, while the safety issues with a phone don't.
Then why is the CFAA still a law?
> Also, there's no way for the garage collapsing to help people, while selling an exploit to the FBI can conceivably help people (not difficult to imagine scenarios).
What do you mean? I laid it out already. You can short the company that owns it. Quite profitable. And maybe you donate the money to cancer research. If the garage happens to collapse at night when it only damages millions of dollars worth of cars but no people then it's not difficult to imagine that could come out as a net positive (it's clearly a personal positive for the short seller), and of course we won't know the extent of the harm ahead of time in either case.
I'm not even convinced that this should create a legal obligation to disclose it, especially in the cases where the most likely harm is financial or property damage. Otherwise that would pretty much ban half the stuff Wall St does. But not disclosing a vulnerability still makes you a jackass, which kind of implies that at least the government should not be doing it with tax dollars.
Plenty of things are illegal without directly causing physical harm to people. This is irrelevant.
I think I've made it clear what the relevant ethical difference between garage and exploit. If you think one still informs our ethics regarding the other, fine; I disagree.
Depending on how this exploit works, a simple denial of service when someone needs to call for emergency services may indeed represent an "imminent physical danger". People rely heavily on their phones, both for connectivity and to store important information. As this reliance increases in the future, the probability of a phone being part of a life threatening situation will approach one.