Neat idea in theory, not remotely practical. Let's look at why.

Are we including defensive ops here too? If not (and I can't imagine we would, that's HUGELY problematic), where is the line between offense and defense? Please read through and opine 1/
https://www.nytimes.com/2021/02/06/technology/cyber-hackers-usa.html

Before we can bar offensive or defensive work, we have to be very clear on definitions. Today, we are anything but clear.

There are things that are clearly offense, and the article touches on a few of these, but let's take a few polls and see how crystal (un)clear the line is 2/

You perform vulnerability research on software, discover flaws that could be reported to the vendor for patches or for someone to develop exploits. The choice of what to do is not yours. Is this (if the answer is unclear, please say why): 3/

You perform vulnerability research on software, discover flaws that could be reported to the vendor for patches or to develop exploits. The choice of what to do is not yours, but the contactor requires a proof of concept exploit for each vulnerability reported. Is this: 4/

You perform analysis of digital data (documents, email, etc which *may* have been acquired under a legal process, some of which you confirm definitely was) to profile the individuals or organizations from which the data was collected. Is this: 5/

Same as above, but you've been explicitly told not to ask where the data came from. Is this: 6/

You teach digital forensics to a foreign government's law enforcement department (picture foreign FBI). Is this: 7/

Same as above, but it's penetration testing you're teaching. Is this: 8/

Same as above, but you're teaching exploit development. Is this: 9/

And this is just the tip of the iceberg.

When you only have to propose ideals, suggestions like this are easy. But when you actually think through implementation, it's clear proposals like this are highly unlikely to be successful and will cause more harm than good. /FIN