There are brokers for website vulns? This presentation says there are brokers for clientside RCE vulns, but doesn't mention any brokers for website vulns.
It depends on the vuln and the need. For example, an XSS won’t net you very much, unless the buyer already has a browser RCE but needs a way to deliver it to a target they know uses a particular service or browser, and for that they may need an XSS.
Still won’t net you as much as an RCE, but they do get bought sometimes.
Still won’t net you as much as an RCE, but they do get bought sometimes.