It was our mutual understanding that this buyer maintained the same code of ethics as our own. Unfortunately we were very, very wrong," it said.
Based on what information? How carefully did you vet them? Did you demand, in the contract of sale, that products developed with the provided information about the vulnerability would only be provided to governments approved by you? Presumably you specify that your clients can't provide the product or reveal the vulnerabilities to the developers of the software you are exploiting so one assumes you have crossed a few 'T's and dotted a few 'I's. Strange then that the criteria to not provide the product to repressive regimes is absent. Or maybe it's not that strange.
And what is you "code of ethics", exactly?
If it is that you don't provide your services and products to certain clients, what is the restriction. We know that you previously only sold to "US clients" but, beyond that, what was your criteria? Did you sell to any US clients? On the basis, perhaps, that they are all trustworthy and would never do anything that violated you "code of ethics"?
So what is it that you consider to be ethical conduct?
I mean, let's not beat around the bush here - your company actively researches vulnerabilities in software and, rather than informing the developers of that software - which would increase security for everyone - you keep it secret and develop code to exploit those vulnerabilities for the express purpose of gaining access to another person's private property and accessing their private data. You then sell that capability to other people - people whose motives and business practices you evidently don't investigate and vet sufficiently.
You sell tools that allow one party to spy on another. What does a company have to do to be considered to operate outside of this code of ethics of yours? What the hell do you think they are doing with your products?
But, let's assume that you really did have the best of intentions and truly did believe that 'Hacking Team' were your brothers from another mother. It's great that you've now decided to no longer sell to them (again, taking you at your word) but what measures will you put in place in the future to ensure that the vulnerabilities you discover and the exploits you create won't be used by or on-sold to unethical organisations/states?
Which organisations and states will make that list, hmmm?