You may recall Cisco crushing Mike Lynn and his attempt to make the Black Hat security conference aware of a vulnerability in the OS run on Cisco routers. We then asked was what Cisco did right? Mark Rasch of SecurityFocus has written an interesting column covering the legal issues, from non-disclosure to EULA.
Hackers and true "black hats" will not be deterred from the terms of the EULA, however -- let's face it, they probably never bought the code in the first place and never entered into the clickwrap EULA. Thus, the "bad guys" will pick apart the code to discover and exploit the vulnerabilities. The implications of the Lynn case are that you must first ask permission of the software vendor to pick apart the code. I can imagine vendors granting permission with restrictions, whereby you can reverse engineer the code to find vulnerabilities, provided that you agree to tell US about them -- and never ever tell anyone else. In other words, they get the opportunity to fix the code, and nobody is the wiser.
That would be one of the bug fixing models I identified previously, then. The column is well worth a read, highlighting just how odd some of the legalities are.