I think there's a difference between providing a generic SDK and providing specific targeted SDK. E.g. if you made libstdc++, nobody is going to blame you for every C++ program using it. But if you made specific malware with specific exploit for a specific vulnerability, and people use it to take over other systems, you may share the blame - even if you yourself never used it. In the latter case, you'd be known as "malware vendor" and your trust profile would be set accordingly. I think this is close to the case for Kape. They targeted specific market with specific product. Now, it's completely their right, nothing illegal, but as well it is my right to stay away from people who are into certain markets and certain business models.