Another factor is that when you are buying on black market, you can't be sure whether you are buying real exploit or fake one. Exploit owner probably will request (irreversible) bitcoin payment, will communicate via anonymous channels and is unlikely to give out details about that exploit until he's got his money. So both sides have difficulty trusting each other. Probably solution is some trusted 3-rd party, but is there one in black market? It's hard to imagine, actually.
Even if you aren't able to receive some sort of sample proof of work (which is probably not the case with this exploit), you can still mitigate the risk by ensuring the seller has high status in the marketplace and/or is willing to use escrow (or preferably multi-sig) to ensure funds are only released upon receipt.
Not really - a Facebook attack can be proven without revealing the details. eg. The buyer could ask "give me a list of the friends of <non-public account>" or "make a fake posting with <this content> authored by <this user>".
Problem with that us the buyer could be FB Sec. Now they have a targeted account to watch and find the vuln. themselves. Better option is to find a random famous person and do the sane thing.
3-way signed keys with 2 min necessary for accessing the BTC wallet. If memory is not playing tricks on me, you can do that with BTC. You can make a client-> seller transaction if everything is normal, else the third party can arbiter the transaction.
