I bet there are probably a handful of government-adjacent contractors/companies that do offensive hacking on a clandestine basis that would pay a lot for them, possibly while promising legal legitimacy.
If so, they wouldn't want the public to know why they are or that they are "buying and using cyberweapons" - both to stay effective and for political/international relation reasons. So probably hard to find or contact them.
I wonder how often unsolicited emails are sent to *@cia.gov with subject: "I have RCE on ___, wanna buy it?" and how they respond.
