How is it a crime to sell a security flaw? It is just knowledge that you found yourself (as opposed to was told under an NDA, in which case it might have been).
It's not a crime to sell a security flaw! It is, on the other hand, probably a crime to abet computer fraud, which is what you'll have done if you accept money from someone in return for an exploit you had that they subsequently use to break into Facebook.