Re: The article and comments are misleading
It appears, you're right in some areas, not so right in others. For instance, while the actual text of the Wassenaar Agreement is interesting, it is of only peripheral relevance to US law, which is only concerned with the actual Federal Regulations. So an enabling regulation can be substantially broader than required.
But, yes, the EAR Part 734.7 (and possibly 734.8) have bearing on the matter, but the effect of them is awful: anyone wanting to avoid the export controls *has* to publish everything, including the "proof of concept" attack code, if they want to notify the hypothetical Chinese router manufacturer. This is possibly an even worse situation, because they cannot limit disclosure to the known good guys. So if I discover an attack vector, I *have* to hand it off to the bad guys, too... which is possibly a Bad Idea.
And the fact that the 40+ countries agreed on making intrusion software "dual use" doesn't mean much, because the people at the table deciding these things are typically NOT representative of the broadest constituency. In other words, the Mil/industrial base gets a disproportionately loud voice, and the open source community is disproportionately under-represented.