True, plus, I forget the legislation but you are effectively breaking into the computer first which is a crime. Committing a crime for a noble outcome is still a crime.

Incentives is a real issue here and those that provide the patch would, reasonably, expect a reward i.e. MS for updates, AV provider for testing, finding and securing the vulnerability and a whitehat for disclosure. However, there is no reason why a "charitable" hacking group wouldn't do this as part of some sort of digital vigilantism. Sometimes people do things without extrinsic reward and the thrill here is that it is as hard as cracking, but you get to know that your efforts could be immediately applied.