Responsible disclosure (where the vendor is notified first) has proven to be an unmitigated disaster. Vendors simply ignore the vulnerability report as long as possible. The only way vulnerabilities get addresses is when a PoC is created and publicized.
Buyers of exploits (at least those who aren't blackhats/criminal enterprises) generally intend to use them for their security services/applications. They have to have the latest exploits otherwise they can't protect their clients.
Buyers of exploits (at least those who aren't blackhats/criminal enterprises) generally intend to use them for their security services/applications. They have to have the latest exploits otherwise they can't protect their clients.