What’s the security business about? Plenty of people sit in dark rooms and search software for vulnerabilities. When they discover one, they normally inform the software vendor about it and after that make it available to the public. The vendor releases a patch, the exploit gets published to the net. What does the security analyst get for it? Nothing but a bit of fame.
That’s supposed to change. Started on Tuesday, the first official* marketplace for security flaws opened. If you discover a vulnerability, you can register at WabiSabiLabi and sell it there in an auction or for a fixed price. The sellers and buyers must verify themselves, so no script kiddies bad guys may buy an exploit there. Of course one may ask it this is morally ok? I came to the conclusion that it is, because the software vendors then spent the money they saved by dropping quality and security checks of their software, so it should be zero in sum. And the guys sitting in their dark rooms get what they deserve.
* of course there has been a market for vulnerabilities in the underground for a long time