[Topfi]

Absolutely, that would most likely happen, they'd compete like any other market. However, a more appropriate financial compensation would still come with all the other benefits that I mentioned. Reporting to the affected company tends to come with positive public exposure, potential long-term job offers from that company or others, and receiving taxable income with few complications. Even selling exploits to intelligence agencies or nation-states likely involves more hurdles compared to dealing with companies like Alphabet or Microsoft.

Receiving 75k from Google versus a few hundred thousand from a less reputable source is a different scenario compared to getting a few hundred thousand from Google versus slightly more from those same sources. In the former, I'd have a hard time not going for the large yet morally dubious payday. With the latter, I feel like most, myself included, would stick with Google

[immibis]

Reporting a security issue to a company also comes with a large risk of being arrested and sentenced. Maybe not Google in particular, but it doesn't happen infrequently that someone reports a security issue to a company and is then convicted of hacking. Those people definitely wish they'd sold their exploit to hackers.