Out of curiosity, would it be illegal to do that? I mean ethically it's definitely wrong, and I'm sure it's illegal to sell it to someone if you know they are going to try and exploit it for profit, is there a technical loophole to hide behind?

Say, you sell it to someone and to the best of your knowledge they want to claim the reward for themselves. To justify the increased price you received by selling it to a third party instead of submitting it for the bug reward you could say that the third party intends to claim the bug as his own work and the professional cred they'll receive justifies the increased price.

Well, the US government buys exploits from people [1], which means it must be legal in the US. The government would never do anything against the law, right?

[1] http://www.techrepublic.com/blog/security/guess-whos-buying-...

Companies like Vupen exist solely based on the development of exploits for profit.

Wow, I didn't realize they could openly advertise that!

It's not actually illegal to sell an exploit in most municipalities. You can be potentially charged with conspiracy if it applies in the case.

It's only illegal if you're caught.

Sounds like it would be protected free speech akin to:

"Hey, that building has a broken window."

IANAL.

That was my thinking too. Along the lines of the anarchists cookbook.