There are plenty of places you can sell exploits other than OCGs. At the more legitimate end of that market is people like ZDI who will then collaborate with the vendors (after a time), or companies making exploit kits/tooling for pentesters/red teaming. More questionable ones are companies that make things like forensics tools or spyware who are legal, but perhaps ethically dubious. All completely legal, but not great for the wider community if they're getting the vulns rather than the developers.

If you're trying to protect your own website and servers, those markets won't be a concern for you. If you ship a widely used product that's an attractive target (like web browser, mobile device, network kit, etc) then they definitely are.