This is the best argument against making them illegal, in my opinion. If you believe source code, code implementing cryptography, and privacy software like Tor and OTR is speech, then you can't set a double-standard just because you don't like what exploits may or may not be sold to do.

Publishing exploits should certainly be protected as free speech, but the sale of exploits to a party with ill intent (governments included, even ours) is moving into the realm of arms dealing because that exploit is going to be weaponized. Intent matters.

If there is a transaction with weaponization as the intent => arms dealing

If it is published to edify => free speech

By that logic, having a perl RSA implementation in your signature is arms dealing because the intent is for that speech to spread to others to weaponize it into encryption software. Reality already won that battle, let's not fight it again.

Can you legally sell exploits of physical systems? Say, a book containing instructions for breaking into any military installation?

Maybe it would be enough if an international treaty required all nations, and their intelligence and law enforcement arms, to abstain from using software exploits, and requiring them to disclose any exploit information they acquire to system vendors for prompt correction.

Probably.

A more recent example: can you sell the NSA's confidential slides? The Washington Post apparently can.

We already make certain practical exceptions to free speech that take intent into account: slander, blackmail, death threats, shouting fire in a theater, etc.

Though I'm dubious about creating (more) wedges that could erode constitutional rights, outlawing only the selling of exploits seems reasonable. Whereas if you tell the world about a zero day exploit for free, it falls back under free speech.

Using the exploits is already illegal.

The examples you list are really not related to sharing of ideas. The criminality of the above acts centers around the harm caused, not the actual act of speech. The problem with shouting fire in a crowded theater is not that you vocalized the word "fire", it's that you caused unnecessary panic. If you had pulled the fire alarm, the same panic would have arisen, but without any speech involved. So it's clear that just because you used your body's built-in fire alarm to cause false panic, and the Constitution protects you from government intervention in most uses of your body's built-in fire alarm (speech), you're not exempt from the consequences of inciting panic. Blackmail and death threats are pretty much the same thing as shouting fire in a crowded theater. Society has an obligation to protect its members from harm, and when you give an "early warning" that you intend to harm someone, it makes sense for society to use that information to intervene in advance of that harm actually occurring.

Slander and libel are very tricky, mostly involving civil penalties rather than criminal penalties. If you slander someone and it causes them no damages, the government is not going to throw you in prison. I've never liked the slander/libel exceptions and did a bit of reading; Wikipedia's article on the subject says: "In a 2012 ruling on a complaint filed by a broadcaster who had been imprisoned for violating Philippine libel law, the United Nations Commission on Human Rights held that the criminalization of libel violates freedom of expression and is inconsistent with Article 19 of the International Covenant on Civil and Political Rights."

I think this is basically the right idea. Look how much time legitimate authors spend defending themselves from libel claims in the UK. Spreading this madness to the US for the perceived benefit of not being able to tell someone how to get a computer program to write to unallocated memory seems pretty stupid to me.

I wonder what happens today when you sell an exploit to someone that then uses it to cause significant monetary damage. If we're being consistent in the application of our laws, it will be the same thing that happens to the company that manufactures the weapons used in school shootings.

You could criminalize parts of the transaction without criminalizing speech. For example, there's no Constitutional right to buy someone's silence, so you could make it illegal to give someone money on the condition that they not disclose security exploits to other parties. That would preserve the freedom to disclose exploits, the freedom to disclose exploits for pay, and the freedom to be silent, taking away only the freedom to buy someone else's silence about software defects (and implicitly the right to take money in exchange for silence about software defects.)

Pay in installments, installments ends when big is found, whether reveled by creator or other.