[netsec_burn]

First and foremost, the original vendor is always the most ethical place to sell it. That's where you stand the best chance of having it fixed for affected users. Second to the vendor are third parties that report vulnerabilities to the vendor by selling early warnings as a service. I don't know if I would recommend ZDI, they provide zero guidance for what their payout ranges are. There are security companies that purchase zerodays to write about them for PR, which also fixes the issue. And finally there's selling it to branches of the US government with license restrictions and a blanket exclusion for the NSA.

Beyond those buyers, the lines start to blur (defense contractors, companies in countries allied with the US e.g. FVEY). I would not recommend it either. Unethical buyers have completely different interests. I know Zerodium for one is a terrible place to sell to (you may be a target), and anything that is sold to Crowdfense is likely to be used against American interests.

My take away advice is, you can choose between painting a target on your front or one on your back.

[zrth]

When you say "one could be targeted/painting an target on one self" what does this imply? Basically that some group, most likely a nation state actor might hack my systems in the hope to see what else i have and who i am selling to?

Or rather that when i cross the wrong broader in to the wrong country that i might disappear?

[Aulig]

Who do companies like ZDI sell early warnings to? I don't quite understand how a vulnerability could be worth more to them than the vendor who could fix it (assuming they don't somehow abuse the vulnerability).

[dannyw]

Because ZDI negotiate. As a bug bounty participant in the official programs, you aren't allowed to negotiate.

ZDI, on the other hand can say: "We want $10M for this iOS zero day, or we don't report it to you." And the process of negotiation goes back and forth, but the end result is, Apple will pay considerably more to ZDI than through the direct program.

[zrth]

Correct me if i am wrong. I think another reason why ZDI maybe could pay more is because they also have other paying customers that pay for IDS/IPS subscription.