This one is a couple of years old but still relevant, especially with the recent ransomware attacks. We’re used to thinking in terms of human actors, where an informant is a very different kind of asset from an undercover operative. The former is a passive conduit of information while the latter is an active force for change. In technological conflict there is no such difference. Both activities require the ability execute code on the remote machine and once that is achieved it can be used for any end, passive or active.
And of course any vulnerability, once discovered, can be used by whatever criminal claims it first.
Disclaimer: I don’t necessarily agree with or endorse everything that I link to. I link to things that are interesting and/or thought-provoking. Caveat lector.