(I'm not a lawyer but) I think that would involve you in the conspiracy to commit the cybercrime, if you developed the exploit and sold it to an entity that used it with wrongful intent.
A lot of it includes the phrasing "with intent to defraud" so it may depend on whether the court can show you knew your highest bidder was going to use it in this way.
(apologies for citing US-centric law, I figured it was most relevant to the current discussion but things may vary by jurisdiction, though probably not by much)
https://www.law.cornell.edu/uscode/text/18/1029 gives the definition and penalties for committing fraud and/or unauthorized access, and it includes the development of such tools.
A lot of it includes the phrasing "with intent to defraud" so it may depend on whether the court can show you knew your highest bidder was going to use it in this way.
(apologies for citing US-centric law, I figured it was most relevant to the current discussion but things may vary by jurisdiction, though probably not by much)