> Sadly you can't feed your children from media drama.
So it seems like the real answer in these cases is selling the exploit on the "dark web". I mean why not? The vendor doesn't seem to care about security anyway.
"Dark web" for things that are not relevant to Five Eyes and NSA when they are relevant. At least in those cases, with good opsec for the "dark web", you can be reasonably sure the company who made the product can't retaliate against you.