Answer to this question by another Security Expert....
I posted couple of days ago Face-Off: Is vulnerability research ethical?. Roger Halbheer has posted a very nice response to the debate by Bruce Schneier and Marcus Ranum.
The best part of Roger's response is:
Once you find a security vulnerability, what do you do with it? Do you do responsible or irresponsible disclosure?
As Roger said, I totally agree with his comments. It is not about security research, question is what we do after finding vulnerability? Finding security vulnerability is not a crime or unethical. What people do after that makes this unethical. If after finding vulnerability if we follow right responsible disclosure and company rewards the security researcher with dollors or whatever - that's approach is completely ethical to me. If after finding vulnerability if you follow irresponsible disclosure and sell the vulnerability in black market - that's approach is unethical.
As Roger said:
But to me, this is the wrong question: It is not so much about security research.