The Venn diagram of vulnerability researchers and product developers has only a sliver of overlap. Most researchers are not professional developers.
No vulnerability that anyone knows about has ever been attributed to product sabotage.
If there exists an incentive to sabotage products on behalf of governments or organized crime, that incentive exists with or without formal vulnerability markets.
Markets allow vendors to participate and discover vulnerabilities. They are in that sense a uniquely bad setting for internal saboteurs to sell access to code; there is a non-negligible chance that the organization who ends up with your work will be able to "git blame" you.
I'm not a supporter of vulnerability markets, but this strikes me as a particularly dumb argument against them.
Historically economic incentives did not encourage the selling of vulnerabilities that you created. And we have no demonstrated history of the creation of vulnerabilities for sale. Not surprising with the lack of incentives, and not evidence that it won't happen in the future.
But disgruntled IT people do all sorts of remarkable stuff. Take the case of Terry Childs, who locked everyone else out of San Francisco's network. Or a friend of a friend of mine who took out his frustration at a previous company by translating a chunk of their code to Latin and then implementing his project in Latin. (Yes, there is a Perl module that lets you program in Latin. No, this is not recommended in production code...)
There are a lot of IT people. And some do stupid things. Or interesting things. For instance there is a persistent rumor that http://www.win.tue.nl/~aeb/linux/hh/thompson/trust.html was not hypothetical, and that Thompson was actually observed using it in the wild. Really cool security hole. (And good luck doing a "git blame" for a bug that appears nowhere in your source code.)
But you're right that it is not the best argument against vulnerability markets. Given the quality of most company's code bases, there is no need to add security holes. It is easy and much safer to find the ones that are already there. However when you leak source code for private analysis, then don't report the bugs you find, the result is more 0-days and bugs not getting fixed. This makes us all less secure.
Of course with the increasing interest in compromising systems, this is happening regardless of whether or not there is a formal market for them. The present is insecure, and the future is guaranteed to be less so.
Vulnerability researchers in the 00's have not been particularly hindered by lack of access to source code. It turns out that when you actually start tooling up, having access only to compiled C code isn't much of an impediment.
No vulnerability that anyone knows about has ever been attributed to product sabotage.
If there exists an incentive to sabotage products on behalf of governments or organized crime, that incentive exists with or without formal vulnerability markets.
Markets allow vendors to participate and discover vulnerabilities. They are in that sense a uniquely bad setting for internal saboteurs to sell access to code; there is a non-negligible chance that the organization who ends up with your work will be able to "git blame" you.
I'm not a supporter of vulnerability markets, but this strikes me as a particularly dumb argument against them.