To me, the big question underneath all of this is password dumps. I don't know that there was much uncertainty about buying vulnerabilities. But password dumps are almost always per se stolen data, and it's a bit of an open secret that there are anti-ATO teams using those dumps to create better versions of HIBP. I read this looking for clear guidance on whether it was safe to buy a password dump if you're only using it to force password resets for your users, and didn't come away with much certainty in either direction.
I'm glad they released this and made it clear that there is a legal and safe way to collect this sort of information.<p>From my reading, as long as you're not furthering any crimes the community is engaged in, or impersonating a real person to gain their trust (as opposed to a fictional false identity), or breaching any systems they use, then it's generally okay to gather information. Purchasing stolen data (that you own/are authorized to possess) and vulnerabilities is more complicated, but they explain some legal ways of doing it.