See extract from the NSS Labs site:

Recently, there has been increased interest in the way in which security vulnerability information is managed and traded. Vulnerabilities that are known only to privileged closed groups, such as cyber criminals, brokers, and governments, pose a real and present risk to all who use the affected software. With the use of empirical data, NSS has determined that on any given day over the past three years, privileged groups have had access to at least 58 vulnerabilities targeting Microsoft, Apple, Oracle, or Adobe. With specialized companies offering zero-day vulnerabilities for subscription fees that are well within the budget of a determined attacker, and with half a dozen boutique exploit providers jointly having the capacity to offer more than 100 exploits per year, privileged groups have the ability to compromise all vulnerable systems without the public ever being aware of the threats. Read on to learn more about the "known unknowns."

Vulnerability Purchase Program (VPP)

The article also talks about the market for selling vulnerabilities, see extract:

Traditionally, the primary players in the commercial vulnerability market have been iDefense, which started its  Vulnerability Contributor Program (VCP)  in 2002 and TippingPoint, which started its Zero Day  nitiative (ZDI)  in 2005.

Both vendors publicly advertise their vulnerability handling services and policies. With VPPs, it is a challenge  for the sellers to demonstrate and the buyers to ensure that there is no malicious intent.

The VCP and ZDI programs typically purchase vulnerability information to protect customers before a vulnerability becomes public  knowledge, subsequently informing the vendor of the affected software. The VCP and ZDI programs advertise their  ethics and request that security researchers accept lower compensation with the assurance that the information  will be used for benevolent purposes.

Get your own copy of this document at: