I think you are confused. I've been in the security industry for about 10 years. Disclosing a vulnerability is not illegal. Over the years, some companies have tried to sue over this, but these censorship attempts do not turn out well.

Not only is it legal to disclose unfixed vulnerabilities, but it is legal to sell them. Presently, the biggest buyer of them is none other than the US government.

Whoah. Whoah. Whoah. You're handwaving around the real issue. It's not legal to find vulnerabilities by testing other people's running web applications without permission, and it never has been.

People obviously do it, all the time, against sites that haven't officially given permission (as Google and Facebook have), and most of the time they get away with it, but they are rolling the legal dice every time they do. People have been getting in trouble for doing this for years.

The people selling vulnerabilities are generally running the software themselves. Huge difference.

My post, and his reply, were only discussing the disclosure of vulnerability information. I didn't say it was legal to attack a live system that you don't own. I see how you are making that logical leap in the case of facebook, but it isn't necessarily a given. There are ways one can legally become aware of vulnerabilities in facebook, and share that information.