Comment by SteveNuts

You're not so much selling them to google, you're disclosing them.

It's more of a contractual agreement between you and Google, or whatever company you're reporting the vulnerability to.

As long as you follow the rules for their bug bounty, you'll be fine.