There are lone ranger types and small groups that churn out a few exploits. These guys (the small groups) go through trusted middlemen (usually via encrypted email), who buy the exploits at a discount. Now the middleman has a collection of 0days that he can sell to established customers, which might be government or criminal organizations. Sometimes the organizations want exclusive rights to an 0day (to prevent it getting leaked and patched), sometimes they don't.

On the other, less sketchy, side of things, there are companies that do more or less the same thing. They do the same kind of vulnerability research, but a lot of the time it's on behalf of the company whose product they're trying to hack, or possibly a government organization. They don't usually go through middlemen; they just work directly with the government or company. They can't and don't do anything obviously illegal, which limits the amount of stuff they can make, but obviously sticking to legal activities has its benefits. Sometimes legality is a little fuzzy, but these groups try to tread lightly.

You'll get introduced to someone who has a small security firm and from their LinkedIn page you can see they have a pretty vague but interesting past. Ask for a shit ton of money.

Did the guy spend 8 years at a british aerospace company before going into consulting? GCHQ. 5 years at the "Department of Defense"? NSA. High school drop out? Chinese or Russians.