> while I have met a few people in the field who are more than happy to sell a bug to literally anyone with cash, the vast majority of people (even the ones whom I have sometimes called "mercenaries" for being willing to "switch sides"), have a pretty serious distaste for the idea of selling a bug to the highest bidder.
How many people would openly admit to being willing to sell bugs to the highest bidder? I certainly wouldn't.
If anything, selling on the black market guarantees that you get what you think is a fair deal. You demo, you reach an agreement, you get your money (or bitcoins or whatever), and you move on. When disclosing a bug to a company, you have no idea how much payout you're going to get, if any.
Even if you don't "openly admit" that, do your friends know? How about the people you work with? Would they guess based on other stuff they see you do? I am not saying "I took a poll" or "I asked people", I am saying "over the past decade of being surrounded by people in the field of security, and having gotten to know a number of these people very well, this is the reality of the involved ethics".
How many people would openly admit to being willing to sell bugs to the highest bidder? I certainly wouldn't.
If anything, selling on the black market guarantees that you get what you think is a fair deal. You demo, you reach an agreement, you get your money (or bitcoins or whatever), and you move on. When disclosing a bug to a company, you have no idea how much payout you're going to get, if any.