Re: Let me be the first:
Perhaps I'm missing something, why would they need a license? As I understand it only US companies and citizens who would need a license to "export" or "import" the information. Where it get's tricky is when you have a non-US company with a facility in the US and the parent company discovers the 0-day. Would they be able to tell the US facility (import) and would that then bind them to the ITAR rules with regard to telling anyone else (export)?
Granted it's a total cluster fsck in the first place but then ITAR itself is largely a cluster fsck.