Where on earth did you get the idea that there is something illegal about selling exploits? Several companies exist that do exactly this, and they operate in public, above board.
To my knowledge, the US government is the biggest buyer of unpublished exploits. And they pay a lot more than 60k. One well-known US-based company is even run by a former NSA employee, and they're currently advertising a remote pre-authentication exploit in the latest version of MySQL.
Penetration testing is the common answer, though that job description can also be a bit of a euphemism.
It is also worth noting that breaking into the computer of a foreign national that is located overseas is often not a crime in the united states, or is at least considered very difficult to prosecute if it doesn't involve fraud, financial transfers or a few other hot buttons.
To my knowledge, the US government is the biggest buyer of unpublished exploits. And they pay a lot more than 60k. One well-known US-based company is even run by a former NSA employee, and they're currently advertising a remote pre-authentication exploit in the latest version of MySQL.