One important part in the FAQ is number 10. > Q: If
an IT security researcher had done an analysis on a software
application to find a vulnerability in the code, had written up code to
then take advantage of the vulnerability and then sent that code to an
anti-virus company or the software manufacturer, would that code require
an export license?
A: “The code that takes advantage of
the vulnerability would not require a license. As stated above,
“intrusion software” itself would not be controlled by the proposed
rule.
For any associated technology for the
“development” of “intrusion software”, under section 734.7 of the EAR,
any technical data sent to an anti-virus company or software
manufacturer with the understanding that the information will be made
publicly available, would not be subject to the EAR.”
Unfortunately, the words publicly available aren’t defined.