Sure, under what theory of law wouldn't it be? I mean, assuming of course that there is no insider dealing here, that they didn't have any hand in creating the security vulnerability themselves (or inducing its creation), but that they only discovered something out there in the world, then they have the right to talk about that as they see fit. Or not, or sell it. There may be social consequences, and if they're employed by someone else there could be terms in their contract covering that or a range of other legal behavior, but publishing/selling true information one discovers is protected under general law (and common sense frankly). It could be different if the entity they were selling to was itself a criminal enterprise and they knew or should have known that ("a reasonable person would have"), but even that is not an issue for government agencies, or selling it to the responsible developer, or to generalist security middlemen companies that do things like buy these up and then sell special early notice to their clients or such. There are legal entities that are willing to pay for some exploits, and it's legal to sell to them.
Many security researches voluntarily have decided on a moral level that they care about general security welfare most of all and that following specific standards and timelines of disclosure will maximize that, but even with the same goal reasonable people can disagree there too right up until full disclosure immediately. Some are just paid for that, because like open source an organization might decide that better security overall will ultimately be good for their bottom line (like Google). And some people just want fame or to put food on the table via their unique marketable skills, which is their call too.
Many security researches voluntarily have decided on a moral level that they care about general security welfare most of all and that following specific standards and timelines of disclosure will maximize that, but even with the same goal reasonable people can disagree there too right up until full disclosure immediately. Some are just paid for that, because like open source an organization might decide that better security overall will ultimately be good for their bottom line (like Google). And some people just want fame or to put food on the table via their unique marketable skills, which is their call too.