Who do companies like ZDI sell early warnings to? I don't quite understand how a vulnerability could be worth more to them than the vendor who could fix it (assuming they don't somehow abuse the vulnerability).
Because ZDI negotiate. As a bug bounty participant in the official programs, you aren't allowed to negotiate.
ZDI, on the other hand can say: "We want $10M for this iOS zero day, or we don't report it to you." And the process of negotiation goes back and forth, but the end result is, Apple will pay considerably more to ZDI than through the direct program.
Correct me if i am wrong. I think another reason why ZDI maybe could pay more is because they also have other paying customers that pay for IDS/IPS subscription.
ZDI, on the other hand can say: "We want $10M for this iOS zero day, or we don't report it to you." And the process of negotiation goes back and forth, but the end result is, Apple will pay considerably more to ZDI than through the direct program.