[charsifood]

> while I have met a few people in the field who are more than happy to sell a bug to literally anyone with cash, the vast majority of people (even the ones whom I have sometimes called "mercenaries" for being willing to "switch sides"), have a pretty serious distaste for the idea of selling a bug to the highest bidder.

How many people would openly admit to being willing to sell bugs to the highest bidder? I certainly wouldn't.

If anything, selling on the black market guarantees that you get what you think is a fair deal. You demo, you reach an agreement, you get your money (or bitcoins or whatever), and you move on. When disclosing a bug to a company, you have no idea how much payout you're going to get, if any.

[saurik]

Even if you don't "openly admit" that, do your friends know? How about the people you work with? Would they guess based on other stuff they see you do? I am not saying "I took a poll" or "I asked people", I am saying "over the past decade of being surrounded by people in the field of security, and having gotten to know a number of these people very well, this is the reality of the involved ethics".