Usually you can get more money for exploits on the black market, than from bug-bounties. Governments from all around the world have a lot of money to spend to buy exploits.
People keep saying that but is it true? There are some problems;
1. The seller would like to keep their identity secret so that they aren't prosecuted or attacked.
2. The buyer would also like to keep their identity secret.
3. The seller wants money. How do they know that the buyer will send them the money if they hand over the exploit before getting paid? Normally you'd report theft to the police but you're not going to go to the police and admit to selling exploits. Also you don't know who the seller is.
4. The seller wants the exploit. If they pay first then how do they know they will get the exploit.
If you contact some agency directly then surely they will not want to pay you out of fear that you will inform either the public or another government or agency about the transaction?
If there was a darknet marketplace for exploits (maybe there already is, maybe there already are several ones?) then that might solve it. There you can have both some degree of anonymity, you can have reputations for sellers and buyers and the DNM can offer escrow of funds.
