There are, of course, real brokers who will buy zero-day vulnerabilities for use by national IC's and LEO's. Their names don't get around like Zerodium's --- Zerodium sponsors conferences --- but they're not hard to find.

If you've got the kind of bug that these firms buy --- essentially, clientside RCE in hugely popular platforms --- you can probably do better selling to them than you can by collecting bounties from the vendors directly. It takes some moral flexibility, though, since really what you're doing is profiting from other people's exposure, and, especially with mobile clientside RCE, what you're really really doing is getting dissidents in Western-friendly dictatorships imprisoned. But you can do that.

But none of these firms (that I know) buy one-off vulnerabilities like a GCE RCE. All the vulnerabilities with high market values have half-lives, which is to say that even after they're patched, it will take weeks, months, or sometimes even years to see them eradicated, which gives them the residual value that props up their market price. In contrast to that, a GCE RCE that was actually exploited would be detected pretty quickly, and shut down with finality in a matter of hours.

And, really, dictators don't need help imprisoning dissidents -- it's sort of in the jobspec. It's not likely that a vuln would cause this to happen unless it was in systems created and secured specifically for sedition, in which case a researcher should be considerate of the potential damage.

I would find it morally offensive but I'm a naive country bumpkin I guess. I have pointed out something that was mispriced rather than profit from their error. It cost me something like ~$50-100 extra but I slept better.