$60k looks like a lot less when you don't know going in that you'll even find anything. It's potentially months of speculative work, and you stand a very good chance of coming up empty handed. For not much less, anyone with this skill set can have a guaranteed salary.
There is also the fact that anyone in the industry can make a few phone calls and have a bidding war on this type of exploit that will go well into the 6 figures, possibly as high as 7 according to some. $1M sounds high to me personally, but there is no doubt that it will fetch a few hundred thousand.
Where on earth did you get the idea that there is something illegal about selling exploits? Several companies exist that do exactly this, and they operate in public, above board.
To my knowledge, the US government is the biggest buyer of unpublished exploits. And they pay a lot more than 60k. One well-known US-based company is even run by a former NSA employee, and they're currently advertising a remote pre-authentication exploit in the latest version of MySQL.
Penetration testing is the common answer, though that job description can also be a bit of a euphemism.
It is also worth noting that breaking into the computer of a foreign national that is located overseas is often not a crime in the united states, or is at least considered very difficult to prosecute if it doesn't involve fraud, financial transfers or a few other hot buttons.
Are you familiar with anyone who has ever gone to prison for selling an exploit to a third party? What were they charged with? You may not be interested in the kind of attention you'd get from intelligence or law enforcement, but as far as I know the act itself is legal in most/all jurisdictions.
It's also fairly 'common knowledge' that taking $60k and some hacker fame from Google in a legitimate setting is a VERY legitimate way of setting yourself up for a $100k/month job at Google or any reputable infosec company.
Selling exploits on the black/grey market is and will always be fast money, and a bad idea.
There is also the fact that anyone in the industry can make a few phone calls and have a bidding war on this type of exploit that will go well into the 6 figures, possibly as high as 7 according to some. $1M sounds high to me personally, but there is no doubt that it will fetch a few hundred thousand.