"
"it is not possible to release the exploits publicly or even to other researchers outside the UK without an export license"
Does this imply that you can't tell foreign software companies about security holes you have found in their products?"
I suspect you can release the exploits *privately* to the vendor in question. In my experience that doesn't work very well though, because 100% of the vulns I found & reported (all privately) were ignored by the vendor despite being exploited daily.
I suspect that in the vast majority of cases it is the possibility of public disclosure that actually motivates vendors to fix their products, consequently it will be a massive loss to everyone if public disclosure is criminalized.