The size does matter. The amount posted for bug bounties is usually pitifully low compared to the magnitude of the bug. If you've got money on your mind, there's pretty much no reason to fill a bug bounty for a large vulnerability when there's people that will pay ten or twenty times more for it.
Zerodium is a company that tries to make things as straightforward and above-the-table as possible, but there are other publicly known companies that are willing to play ball (or roll in the mud, if you see it that way), even though they keep a low profile. Believe it or not, selling such information actually isn't illegal, even if it leaves a bad taste in a lot of people's mouths.
If you're ready to cross the bridge from "providing info to companies that will likely sell it to repressive governments and surveillance agencies" to "I don't care where this goes, I just want the money under any circumstance", my understanding is that you'll end up having to do a lot of finagling, networking, and negotiating to get the information to the people who want it. I couldn't tell you much about this myself, but having known people who did some small-time floating around in the field, opportunities of the under-the-table type are pretty transient.
People are downvoting Dylan but it'd be neat if for once someone could try answering, as specifically as they can, who exactly he would sell to to beat a bounty price.
Wow that was a very detailed look at how buying and selling of vulnerabilities work. Thank you for sharing. It's interesting how many different companies there are in the world and how they seem to have a Cooperative working agreement with each other if the price is right