Bug-selling remains a relatively exclusive arena, meaning it shouldn’t be tough to regulate. Still, the price paid for some vulnerabilities suggests that ethically speaking, sellers might be up to no good. As Microsoft threat analyst Terri Forslof has said, “If I’m paying $50,000 for a vulnerability, what am I doing with it? I’m likely not trying to get it patched” Currently, there are no laws against the buying or selling of bugs, but that’s unlikely to change.”]
Source: https://www.darkreading.com/attacks-breaches/weaponized-bugs-time-for-digital-arms-control