alt Hacker NewsA problem with this approach is that one of the key functions of a bug bounty program is to encourage people to report vulnerabilities to the developers, rather than selling them elsewhere.
If I have to pay money to submit a vulnerability to the developers with no guarantee that I'll even get refunded for a high quality and good faith report, let alone any actual payout, there's much less incentive for me to do so compared to selling them to someone else who won't charge me money for the privilege.
In a past life I was deeply involved in the operation of a bug bounty program. Discouraging people from selling on the black market was nowhere on the list of motivations.
We wanted to encourage white hat security researchers to look at our domain rather than other domains so we could collect more data on the kinds of vulns that appeared in our domain to help prioritize efforts that would fix the root causes of recurring bug patterns.
I've also submitted bug bounties and received rewards and I've worked with a bunch of other people who have done this. At no point did I even consider selling on the black market and I suspect that my friends from grad school were the same way.
Maybe the $1,000,000 bounties for zero click rce on iphones or whatever exist to discourage selling on the black market, but I'm not even sure that is true. "Well, I'll just find a way to sell this to the russian mob" is not exactly something that is on the radar of the vast majority of security researchers.