Security firm Netragard has suspended its exploit acquisition program two weeks after it was found selling a potent piece of attackware to the Italian malware developer Hacking Team.

Netragard has long insisted that it sold exploits only to ethical people, companies, and governments. An e-mail sent in March and leaked by one or more people who compromised Hacking Team networks, however, showed Netragard CEO Adriel Desautels arranging the sale of an exploit that worked against fully patched versions of Adobe's Flash media player. Hacking Team in turn has sold surveillance and exploit software to a variety of repressive governments, including Egypt, Sudan, and Ethiopia.

"Our motivation for termination revolves around ethics, politics, and our primary business focus," Desautels wrote in a blog post published Friday. "The Hacking Team breach proved that we could not sufficiently vet the ethics and intentions of new buyers. Hacking Team unbeknownst to us until after their breach was clearly selling their technology to questionable parties, including but not limited to parties known for human rights violations."

Desautels went on to criticize advocates of laws that restrict sales of so-called zero-day exploits. These critics often compare sellers of zero-day exploits to mercenaries who fight and sell weapons to the highest bidders with no regard for civilians caught in the crossfire. He went on to praise the use of zero-day exploits in certain cases, such as one from 2013 used to de-annonymize visitors to a child pornography site who used the Tor privacy service to hide their IP addresses.

"People who argue that all 0-days are bad are either uneducated about 0-days or have questionable ethics themselves," Desautels wrote. "0-days are nothing more than useful tools that when placed in the right hands can benefit the greater good."

The CEO went on to call for regulations that hold exploit buyers accountable when the attacks are used inappropriately or to further a crime.

"It's important that the regulations do not target 0-days specifically but instead target those who acquire and use them," Desautels wrote. "It is important to remember that hackers don't create 0-days but that software vendors create them during the software development process. 0-day vulnerabilities exist in all major bits of software and if the good-guys aren't allowed to find them then the bad-guys will."

As Ars recently reported, the US and 40 other countries are considering updating the Wassenaar Arrangement to tightly control the export of exploit code. Some security researchers warn that the updated treaty could land them in jail. The deadline for people to submit comments to the US Bureau of Industry and Security is today.

The full text of Desautels' most recent blog post follows: