Wade suggests three categories that could be used to describe security professionals, as they are neither exclusive, accurate or sufficient I'm going to ignore them. Instead, I'm going to try and distill what Wade believes is the problem, and his preferred approach while attempting to avoid the straw man.

Wade seems to believe that people who discover vulnerabilities, then publish them to the general public, whether after informing the vendor or not, are motivated predominantly by glory and not good intentions. The few motivated by good intentions, it seems, would also be labeled problematic by Wade (& Dave, as the quote is his) because:

[F]ull disclosure was never a good idea, even in cases, like Ormandy's dust-up with Oracle.

The alternative it seems Verizon would like to see, is that researchers who find vulnerabilities report them to the vendor and walk away. I'm assuming they'd allow for some follow up, but publishing the vulnerability publicly would earn you the NVP label. Once again a quote from Wade/Dave/Verizon/Dan Gooding:

"Apple has a responsibility to their shareholders and to their customers to deal with the vulnerabilities, and their shareholders and their customers can hold Apple's feet to the fire. They have their own ways of exerting pressure on Apple to behave in a way they think Apple should behave."

There's an obvious problem with Wade's approach; it isn't universalisable, and we have hard facts for that. There are many vendors who don't act on reported vulnerabilities as anyone who's ever submitted security flaws to vendors can tell you. David Litchfield has even waited a few years before eventually publishing Oracle vulns. Even if every vendor in existence responded to discovered flaws perfectly, there's no obligation for them to. If we look at the externalities pressuring them to action, sexy new features are going to please both shareholder and customers more. Those same customers and shareholders don't really understand this complex security mumbo jumbo, and so in the rare instances when they can patch a bug without at least one news outlet publishing a "OMFG there's a flaw in product X" the customers and shareholders still aren't going to fully appreciate the security fix. What's more, if a security fix prevents a customer from getting hacked, they will have no idea, and won't credit the vendor. The only time not deploying a fix will be a problem for the company is if a mass or high-profile public hack of their customers occurs. Given that most criminals don't like getting caught and that computer crime is hard to detect, that's a much rarer event than the actual occurrence of hacks. This is exactly why full disclosure came about, *in response* to the way vendors were ignoring bugs, to add another externality to drive them into fixing bugs.

This is where the difference between actual computer criminals and security researchers becomes important. Something Wade get's woefully wrong:

Have you ever heard of a terrorist referred to as a “demolition engineer?” How about a thief as a “locksmith?” No? Well, that’s because most fields don’t share the InfoSec industry’s ridiculous yet long-standing inability to distinguish the good guys from the bad guys.

The security researchers Wade is taking aim at are the one's who publish their work publicly (hence the addition of "narcissistic" I believe). But there are a whole whack of people who don't publish their work publicly, or to the vendor or even via vuln clearing houses like VDI (which eventually gets to the vendor). Wade doesn't pass judgment on them. Even those people aren't criminals. One could argue they aren't optimising for the public good, because an actual criminal could have found the same flaw and be privately exploiting it. They aren't criminals because they haven't committed a crime, or even harmed anyone. Actual criminals are people who either discover or buy flaws and then use them to (or have the intention to) commit a crime. This is the distinguishing difference between a thief and a locksmith, or a terrorist (an already loaded term) and a physical pentester. Their intention, and what they do with the information. One uses it to fix the hole, the other exploits it. This is why full disclosure exists, not the make money, but to encourage people to fix the holes, not exploit them. The fact that it can buy you a limited about of fame is a bonus because it provides an incentive to go public (one that pales in comparison to the hard dollars you can get via other means).

Finally, I do identify with parts of Wade's frustration with regards to people who either disclose without reporting to the vendor first, or hype a vulnerability way beyond it's actual risk. The first leaves the install base vulnerable with the exploit popularised, the second causes people to optimise resources poorly. There's room for updated research on vulnerability life cycles, to ensure the debate revolves around facts and not hypothesis. Either way, one should not be confused about which side those researchers are on. They are the good guys, their work could be used in far more evil ways, they do work the vendor isn't able/capable of. They make us safer, maybe not always in the best way, but in the end they make us safer.