Comment by tptacek

People talk about "people selling vulnerabilities" as if there's an established pattern for selling arbitrary vulnerabilities. There is not. There's an established pattern for selling exploits for RCE vulnerabilities on a subset of popular client-side platforms. It's not an especially easy market to break into (as with consulting, people starting out here tend to end up subcontracting, and taking a huge income hit).

For any other kind of vulnerability, you're not so much "selling a product" as you are "helping plan a heist".