Their bug bounty is $10k, plus you get to talk about it, plus you don't go to jail. That's a pretty compelling package when compared to the $100k but your suspicious activity is forwarded to the cops.
Or you sell the exploit to some organized crime ring and are not the one on the hook for the actual attack. Not that I agree with that, however my point is that there are people out there that purchase exploits like this.
I personally would take the 10k because the reputation from finding a bug like this alone is worth more than that, but pretending I wanted to go black market, I can't imagine it would be particularly hard to launder money as long as you paid the taxes that came with that money.
