Shoaib just blogged on Hacking & Security Community - Ethical or Unethical?. To start with: I do not claim that I know all about ethics and that there is only one view on ethics but I have a clear view on certain things.
I blogged on this theme several times already and made my points pretty clear:
When I talk to people who are selling vulnerabilities, they keep telling me that it is their right to sell their work and as they do vulnerability research for a living. So, let's use an analogy: How ethical would it be to try to find ways how to break into my house and then selling them to the people paying most as they will offer services to me to protect me? Is this ethical? Not from my perspective. If I would hire somebody to look for these vulnerabilities, this is a different game but I would then want to know them without going public.
WasbiSabiLabi tells us that they will not sell to the bad guys and that they check the identity of every buyer before they sell to them. So, we have to trust them.
Anyway, we have a policy that we do not buy vulnerabilities and that we are a supporter of the responsible disclosure policy. This is what we do and I am convinced that this is the right thing to do.
As you mentioned - WabiSabiLabi tells us that they will not sell to the bad guys and that they check the identity.
We all know for the matter of fact - it is just take few mins to create identity. We need to keep in mind that bad guys can do anything dirty to cause any harm. They don't care for ethical and unethical stuff but we do.
If any security researcher finds any vulnerability - i think he should notify the vendor first as you said.