If you find a real iOS zero day that you think has a market value of 2 million, how do you (a) find a legit buyer for it, and (b) ensure you get paid, presumably in your own choice of cryptocurrency?
Even if you dont count obvious dark markets there is plenty of well known companies mostly from Israel buying exploits.
You can even reach them via Linkedin and even demonstrate and sell in person with all paperwork. No risk here because they will re-sell them for much more.
Having it both fully anonymous, safe and in crypto will be harder. You need to have a trusted friend with right connections in industry not to get scammed.
no, I'm making the rhetorical point that the sort of persons that might have 2 million laying around to pay for an iOS zero day for blackhat type purposes might not be the most honorable or likely to actually pay you. And what recourse would you have?
This depends on what you consider black hat. Israeli company that sells surveillance malware to dictatorships around the globe isnt exactly moral, but its legal business.
Unlike Apple or Microsoft buying and selling exploits is their only source of income so they have no motivation not to pay. Reputation is much more important. Also legal system does work in Israel.