Couldn't that be compared to, say, selling protective sportswear. That is also selling protection from harm. Now if the researcher threatens to auction off the exploit...
This is like the exact opposite. It would be more selling "not punches" as long as you buy I will show you all the places I could have punched you. You can guess what I do if you don't pay the known hacker/puncher.