I would like to agree with Mr. Dupont in that regard.
I think the area where there is an ethical line is in the security research community. The security researchers who are looking for vulnerabilities can do basically one of two things. They can provide that back to the vendor, which is part of the confidential responsible vulnerability disclosure program, and have it fixed, or they can sell that vulnerability to the cybercrime industry or others.
We try to provide “bug bounty” programs and other incentive structures to encourage and align those security researchers with the good guys.