Off the cuff, I'd guess that any official documentation would be around the sale of "research" and not "an exploit". Depending how classy the buyer was about it, there might or might not be an offline wink and nudge.
Off the cuff, I'd guess that any official documentation would be around the sale of "research" and not "an exploit". Depending how classy the buyer was about it, there might or might not be an offline wink and nudge.
Selling exploits doesn't inherently violate the CFAA.