for exploits that don't target a single deployed instance there is a 'grey/white' market. off the top of my head: ZDI (more defence oriented. i think they distribute just signatures for intrusion detection), Zerodium (more offence oriented), Exodus Intel EIP (not really sure.. they distribute a feed)