I'm extremely wary of a law that would potentially criminalize that. It would almost certainly have to be very vague and prone to being abused by malicious prosecutors. How would you set it up such that it's illegal to sell an exploit to a supposedly malicious actor, but not illegal to sell or negotiate prices with the company maintaining the software or some other company that they deem to be their agent for managing security reports, per current White Hat practices?
Conspiracy convictions usually require proof that the suspect had created a plan to commit a serious crime and has taken active steps towards the execution of that plan, even if they haven't committed the actual crime yet.
We're already perilously close to US Federal Prosecutors being able to lock up anybody they don't like indefinitely. It's so exorbitantly expensive to fight Federal charges that hardly anybody really does, much less does successfully. The last thing we need is more vague Federal criminal laws with poorly thought out evidence and mens rea requirements.
There's no selling/negotiation in the current model. If you go to Google and say "I found this bug, I'll tell you what I did for $50K", that's extortion. If you disagree with their classification or payout, you can contest that classification in the system - but you are not arguing on the price of the exploit, you are arguing on what the exploit is.
Conspiracy convictions usually require proof that the suspect had created a plan to commit a serious crime and has taken active steps towards the execution of that plan, even if they haven't committed the actual crime yet.
We're already perilously close to US Federal Prosecutors being able to lock up anybody they don't like indefinitely. It's so exorbitantly expensive to fight Federal charges that hardly anybody really does, much less does successfully. The last thing we need is more vague Federal criminal laws with poorly thought out evidence and mens rea requirements.