Wait... all vulnerabilities are bugs and many bugs make software vulnerable in some way (even if not obvious at first). So where do you propose to draw the line between normal software QA (testing and bugfixing) and a hunt for vulnerabilities? My reading is that this would blatantly outlaw all forms of software testing.
GP is being sarcastic. Obviously outlawing finding and exploiting vulnerabilities in software would be useless (since black hats would ignore the rule) and actively harmful to the security of the modern software ecosystem (since white hats wouldn't).
