This has aleady been going on, publicly, for many years and is the value proposition of several companies.
Take a look at TippingPoint ZDI and VUPEN. All they do is find/buy vulnerabilities, privately weaponize (or provide mitigations for) them, and sell the new product to companies and governments.
Take a look at TippingPoint ZDI and VUPEN. All they do is find/buy vulnerabilities, privately weaponize (or provide mitigations for) them, and sell the new product to companies and governments.