I forget who, but someone made a comment about this a long time ago that stuck with me. We often say, "They'll just sell all these 0 days on the black market." but honestly that's not like a literal market, and you have to make a lot of compromises to not only your own integrity, but also to your safety and ability to stay out of jail if you do something like that.
I wish I remembered the specifics of the comment, but selling a 0day on the black market is not something a casual person can easily do, and even if someone figures out how, there's a lot that can go wrong, with many of those outcomes leading to jailtime.
It's vastly superior to participate in a bug bounty program legitimately, from a risk standpoint, especially if you're standing to make $1M. 0days are (and I'm not an expert on this) not generally going for enough more to justify all that extra risk.
Selling bugs and exploits is not illegal just about everywhere, so there is really no risk. Plus, law enforcement and intelligence agencies, or their contractors, are the ones buying on the “black market”. Nobody has to worry about jail for knowing about a mistake that Apple made in their code and telling someone else.
I wish I remembered the specifics of the comment, but selling a 0day on the black market is not something a casual person can easily do, and even if someone figures out how, there's a lot that can go wrong, with many of those outcomes leading to jailtime.
It's vastly superior to participate in a bug bounty program legitimately, from a risk standpoint, especially if you're standing to make $1M. 0days are (and I'm not an expert on this) not generally going for enough more to justify all that extra risk.