Great idea out of unsecurityresearch to do an anonymous survey of vulnerability researchers to identify their experiences interacting with the groups advertising vulnerability purchasing programs and direct buyers (anyone who buys vulnerabilities but doesn't maintain an advertised program).
http://cyber-son.blogspot.com/2010/05/v ... mbers.html
Side note... I woke up from the harsh realities of "To CERT or not to CERT" (www.cert.org) I want to say this year. As of 2005 (they STILL have cases that far back from me), from 2005 through now I have about 10-15 open VRU's (F5, Cisco, MS, VMWare and others) for NON small software issues. I went the "responsible" disclosure route. Spent who knows how many hours on research, crashing, fixing, testing, exploiting, etc...
I was on the phone with Codenomicon recently trying to get ahold of their fuzzer (really expensive) and my theory was: "If I found bugs and responsibly disclosed them, the world would be a safer place" (sort of). It was during the conversation where the engineer made me realize... "Why are you bothering to do any of these vendors favors? They pay people on their staff to address these concerns. You get nothing out of it..." That coupled with the "No More Free Bugs" (http://trailofbits.com/2009/03/22/no-more-free-bugs/) movement and it was game over.
There is a huge marketplace for responsible research. For those into reverse engineering, fuzzing, exploiting, I hope you find the stats to be worthy to either contribute if you've made money from your research, or if you're into researching, keep something in mind... At the end of the day, free security research is pointless. This does not mean you're selling out or practicing reckless disclosure. Just some food for thought