Even if you don't want to sell to the underworld for $15 million
Apple will pay $1.5 million for a zero click exploit, so why would anyone give it to Pwn2Own for $250K?
Pwn2Own paid out almost $1 million to bug hunters at last week's consumer product hacking event in Toronto, but the prize money wasn't big enough attract attempts at cracking the iPhone or Google Pixel because miscreants can score far more from less wholesome sources. "We were offering our top award for those," said Dustin …
I've worked with some reasonably sensitive stuff.
"Do you have professional indemnity insurance...?" "Are you security cleared to level x?"
I think it's important to clarify to stakeholders: I'm a programmer, I have unlimited potential to create havoc.
If I ever act nefariously, my life is worthless.
[Limits can be applied, but they're also circumventable.]
"Or I can have £400,000, and spend my life waiting for the knock on the door."
Or you can have the £400,000 and a signed contract avoiding all legal liabilities to yourself - for use or bad-use of the vulnerabilities / penetration security services you sold to third-parties.
Also should keep some encrypted juicy code / vulnerabilities to reliable important partners, so, when the time comes, your "player pass" is worth more than a sting job. And you are most likely safe from any foreign influence operation. Strategy.