"Oh, what people would do with my knife?" Navigating the Dual-Use Dilemma in PoC Exploit Development, Disclosure, and Community Dynamics

The cybersecurity landscape faces an escalating challenge as proof-of-concept (PoC) exploits transition from demonstrations to weaponized attacks within minutes of disclosure. While research has documented temporal dynamics and malicious deployment, a critical gap remains in understanding the human factors underlying PoC creation. Through semi-structured interviews with 16 PoC developers across diverse regions, we apply Expectancy-Value Theory to reveal PoC development as a complex motivational ecosystem where technical confidence, value assessments, and risk calculations intersect within dual-use tensions. We demonstrate that PoC development spans a continuum from crash demonstrations to weaponized exploits, shaped by multifaceted calculus rather than binary ethics. We identify three theoretical extensions: dual-use moral reasoning enabling responsibility externalization, dynamic value assessment where vendor behavior reshapes disclosure decisions, and identity navigation between ethical research and technical mastery. Vendor responsiveness, community dynamics, and legal constraints significantly influence disclosure strategies. PoC developers adopt risk-mitigation approaches when navigating tensions between security improvement and potential misuse, challenging binary conceptualizations of "responsible" versus "irresponsible" disclosure.