First, it's not "black market" vs. "non-black market"; most remunerative sales outside of bounty programs are grey-market --- mostly lawful, but all under the table, largely because they're to agencies that are protective of their sources and methods.

The mechanism grey-market buyers have to protect their interests against over-selling bugs is tranched payments. Sellers make much of their returns from bugs on the back end through "maintenance agreements", which both require the seller to keep e.g. the offsets in their exploits current and reliable against new patch levels of the target, and also serve to cut off payment once the vendor kills the bug.

If you sell to both sides, you quickly kill the back end business from the grey market buyers. If you sell to too many or too sketchy grey market buyers, the bug leaks --- vendors see it exploited "in the wild", capture samples, kill the bug; same outcome: tranched payments stop.

This is one reason it can make sense to take a bounty payment that is substantially smaller than what a bug might be worth on the market: you get certainty of payment. Another reason is that the bounty program will only want POC code (perhaps proof of reliability in addition to just exploitability), while the market will want a complete enablement package, which is a lot of work.