Maybe it's time to require public zero-knowledge proofs of a working exploits before privately-delivered exploit details can be considered.