You talk like they're different things. This is something the Chinese do. Leave the backdoor as a vulnerability. Sure other people may find it, but that means they have access to it from the git-go (on another note, this should be how you initialize repos in git)
That way when someone finds it, they could go "oops. thanks for pointing this vulnerability out for us. Will fix"
That gives you the worst of both worlds, though. You get the major developmental downside of a backdoor - making sure no one in the development pipeline finds and removes it - while still having to do the non-trivial work of actually exploiting the bug. Admittedly I don't have real experience with the 0-day black market, but the internet tells me I can just show up with $200k and buy a Chrome/Windows/iOS 0-day, if I know the right people. I find it hard to believe its actually cheaper or even easier to backdoor software than it is to just buy the exploits.
That way when someone finds it, they could go "oops. thanks for pointing this vulnerability out for us. Will fix"