Mostly the best market is intelligence agency vendors. As a US citizen, I would only be comfortable selling to US contractors. There are a bunch; if you go to conferences you probably meet the people there (look at the sponsors...).
It won't be tax-free, though; you'd probably get a 1099, but if you're smart could set it up as corp to corp and deduct a bunch of other expenses from it. Part of the sale is signing a bunch of NDAs, etc so you can't then release it to others.
How does https://en.wikipedia.org/wiki/Computer_Fraud_and_Abuse_Act play into that?
The CFAA makes it illegal to exceed authorized access to any 'protected computer' (in practice, basically any computer).
The exploit developer avoids violating the CFAA by developing the exploit on their own computer... because you are authorized to access your own computer.
The government doesn't violate the CFAA when using exploits because government agencies are exempt under 18 USC § 1030 (f)
Off the cuff, I'd guess that any official documentation would be around the sale of "research" and not "an exploit". Depending how classy the buyer was about it, there might or might not be an offline wink and nudge.
Selling exploits doesn't inherently violate the CFAA.
Not a lawyer, do pay a lot of attention to this area for professional reasons. Answer: it doesn't, unless you (1) found the vulnerability through methods that themselves violate CFAA (for instance, by breaking into a remote computer), or (2) sold information about the vulnerability knowing that it would be used for a particular set of crimes, in which case you can get accomplice liability for those crimes.
CFAA doesn't have anything to say about vulnerability research itself. You'd be just as liable as an accomplice if you knowingly and deliberately provided free wi-fi to a hacker.
>Mostly the best market is intelligence agency vendors.
That makes me wonder - may be the original bug was really a backdoor created as a result of a deal with an intelligence agency/vendor. So, can it be that Google gets money (or more generally some kind of browny points; also interesting aspect - giving that the agencies may exploit individual engineers, it would seem to be more preferable for the company to play ball and have it organized under the company's control) for a backdoor, and once backdoor is found - pays the bug bounty. The bug bounty is thus a kind of backdoor quality control program :)