0-day "gray" market
Years ago, when a geek (usually a researcher or hacker) was discovering a vulnerability in the security of an OS or on some major application, his first move was to claim loud he had found it.
He was doing so by posting a lot on dedicated newsgroups, on some forum, and sometimes even in some newspaper.
He was therefore making his reputation (ans usually ego) grow higher. One time out of two, he was then mailing the owner of the product (or OS) about that new vulnerability.
By the way, a newly found vulnerability which is not yet patched or corrected is called a "0-day".
Things have changed nowadays, and the discovery of a new 0-day brings the inventor to some choices:
- Claiming the discovery, as it had always been done.
- Keeping it for himself, and often coding exploits to use it in some ways (usually malicious), until some other people finds it and patches it.
- Spreading it to a small community exchanging 0-days. (even more malicious)
- Selling it.
Of course, why should these countless hours not be paid ?
Selling it on auction websites is generally a bad idea, but an interesting vulnerability can also be sold to criminal organizations, who would exploit it quickly to spread new malware, or to the government.
I won't develop more, because there's an amazing paper around, written by Charles Miller.
Believe me, it is very very interesting. Have a good time reading it ;-)