First, it's not "black market" vs. "non-black market"; most remunerative sales outside of bounty programs are grey-market --- mostly lawful, but all under the table, largely because they're to agencies that are protective of their sources and methods.

The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.

If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.

This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.

Black hats will not pay you for an exploit that dies quickly once the white hats get your report. White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.

> White hats will not pay you for an exploit that you fenced to a black hat agency and showed up in the wild.

...come to think of it, how does that work? Aren't the most important exploits to patch the ones being actively used in the wild?

In other words, how do they avoid someone playing both sides? "I found an exploit being used by the LEETH4X0R malware [which was in fact created by the guy I sold this exploit to] to steal people's gmail cookies."

You'd have to find out about LEETH4X0R before other researchers, but of course, you'd have a head start.

You won't get paid for an in-the-wild exploit.

"If I report the body, no-one will suspect I'm the murderer"

Yes they will.

Which is why people are hesitant to report a body they have not killed, just found!

Can usually report anonymously so this shouldn't be an issue. If there's no mechanism for that then yeah I'd consider keeping my mouth shut if it doesn't involve me directly (like the body is in my home somehow).

Except if you're not the murderer, then there'll be little evidence pointing to you.

If you are the murderer, there will be.

It is not so black and white.

Because you'll get found out and never employed as a security researcher again

Perhaps but won’t some of those blackhats pay $1 million or more? Depending where you live that’s retirement money.

Honestly I’d be more worried about crossing the blackhats.

Typically can't do that.

Security services tend to anonymously report security flaws they use after use against any high value target, since they don't want the opponent using those same flaws back at them.

Private sector has the incentive of keeping an exploit open for as long as possible. Several cases with iPhone exploits that were apparently open (and sold) for years.

An exploit that is used is an exploit that will eventually leave traces that an analyst will look at (if used on a corporate PC)... Either you use it very sparingly on HVT or you end up on the EDR radars and some IOC will be made public eventually.