Selling Exploits for Profit! Memory Corruption Bugs and Binary Exploitation...

I've been asked many times as of late to talk about the world of exploit sales. We won't be looking at web app exploitation, but instead we'll look at memory corruption bugs and binary exploitation. Applications like browsers, e-mail clients, PDF editors/viewers, MS Office Suite, and Kernels. I've sold more than handful of triggers and full exploits against a wide range of the aforementioned application types, as well as various hardware appliances and more. This is an interesting topic and one that often brings up concerns over ethics, legality, and a myriad of financial opportunities. I don't have all of the answers, but can share my experience and opinions on the wide range of potential buyers, compensation, safety concerns, and various other considerations one should have when going down this path. I'll answer questions to the best of my ability, but won't speculate on areas where I have no direct experience. I've witnessed interesting sales on the dark web which I was not a part of, which raised up additional interesting considerations that I hadn't experienced. Again, this is an area where there can be both a lot of advocates as well as haters. I'm only going to share what I know to be true or have witnessed. The decision of who to sell to is a personal one, but one that should be thoughtful. There's even a 0-day exploit chain that has allegedly been tied directly to the death of a journalist. True or not, the reason behind it raises valid points. This will be a laid back solo stream that I can point people to when this question comes up each week. I'm expecting some interesting characters to join or some trolls in the comments once we're done!