I didn't mean in terms of a bug bounty. I meant in terms of trying to sell it to something like a foreign gov't or deep web entity. The other guy above said the same thing as you, I did not know at all that researchers sold bugs separately from bug bounty programs.
Frankly, the only reason this doesn't happen more often is that it's hard. Unless you know the right people, finding a buyer for a bug like this is nearly impossible these days. The more legitimate routes are easier, faster, and require less work -- for instance, no need to have a solid exploit, just a good write-up.
There are ethical issues surrounding brokers like Zerodium, Grugq, et. al. Specifically, that 95% of the time you know that bug is going to NSA, CIA, FBI, DoD, GCHQ, BND, Mossad, etc.
You're absolutely right. Many good, wonderful, amazing people consider that an ethical concern sufficient to stop them in their tracks!
It's perhaps possible that some people, in some scenarios, might be willing to compromise on the ethics of their situation in exchange for a significantly higher chance of a much, much higher payout.
EDIT:
To expand slightly, anyone in a position to pay out for bug bounties should consider carefully what they are willing to do to shift incentives towards ethical behavior. The ability to attack your systems is worth money to those who would do so. It should be worth more to you than to them. How much are you, hypothetical person making such choices, willing to spend?
It's perhaps unfair to expect highly skilled people to take a 90%+ discount on the value of their work in order to be more ethical. Ethics are incredibly important! But it can be difficult to argue that successfully in the face of a breathtaking ask.
Then the bug bounty programs can step up and pay what bugs are actually worth. The right bug in windows could decimate their entire os market, but most companies that i've seen tend to pay some flat rate for bugs.
Thus my point: until bug bounties are calculated to approach or exceed the black or grey-market value of exploits, they can't strongly push people towards ethical behavior.
Right now bug bounties seem mainly to serve as a way for skiddies in the third world with burp to make for-them-bank on trivial XSS vulns and for serious professionals to make a little extra money. And, y'know, to serve the PR purpose of being able to say you have a bug bounty program.
What stops someone from "leaking" the bug after getting paid, or getting paid multiple times for the same 0-day? You know, to even the playing field from just the TLAs from having all of the fun?
You get significantly more money - some exploits are worth $100-250k. You just need to ask in underground hacker forums and not on Twitter. But doing business with those guys is hard af because no one can trust each other.
A popular trade-off is to work for a government contractor. You can get that kind of money as a salary, and the trust issues are all taken care of. Having a real salary is helpful if you want to get a loan to buy a house. It evens out your finances.
Somebody like SandboxEscaper would qualify technically, but I have a feeling that running off randomly to foreign countries and hinting at a possible suicide would be disqualifying. The government frowns on that sort of stuff when sorting out trust issues.
