How? I always see this mentioned but it seem impractical to me. I've discovered bugs which have paid out a few thousand dollars - big corporates have well publicised schemes, but I've no idea how I would go about selling it to a criminal.
Even if I did know where to find them - how would I trust them? Can I tell they're not really the police doing a sting?
If they paid me, how would I explain my new wealth to the tax authorities?
Once the criminal knows they've paid me, what's to stop them blackmailing me? Or otherwise threatening me?
Oh, and I won't be able to publish a kudos-raising blog post about it.
How much would a criminal have to pay me to take on that level of risk?
Should Google pay out more for this? Probably. Is the average security researcher really going to take the risk of dealing with criminals in the hope that they pay a bit more? Unlikely.