Normally I agree with you on almost everything in this realm, since, well, it's your field of expertise.
But XE/Blackwater/whatever has plenty of support staff enabling operators overseas. Just because you don't carry an M4 while you cash your check from the organization doesn't mean you aren't helping them in their missions.
If you sell vulns and tools to spyware firms, you know exactly who the most likely high bidders are. It ain't the Bill and Melinda Gates Foundation.
Those people actually work for Blackwater. People who sell vulnerabilities by and large have only a vague idea of their customers. Many exploit developers would, for instance, draw a line between enablement of FVEY national SIGINT and shady spyware shops like NSO, and can rationalize that it's the good guys who are getting their bugs.
I'm not saying that makes it OK (I think the opposite thing, in fact, though I feel like I always need to add the disclaimer that the kinds of bugs that have commercial/operational relevance aren't the kind I develop). I'm saying that the dynamics are different than they are with Blackwater.
But XE/Blackwater/whatever has plenty of support staff enabling operators overseas. Just because you don't carry an M4 while you cash your check from the organization doesn't mean you aren't helping them in their missions.
If you sell vulns and tools to spyware firms, you know exactly who the most likely high bidders are. It ain't the Bill and Melinda Gates Foundation.