There are lone ranger types and small groups that churn out a few exploits. These guys (the small groups) go through trusted middlemen (usually via encrypted email), who buy the exploits at a discount. Now the middleman has a collection of 0days that he can sell to established customers, which might be government or criminal organizations. Sometimes the organizations want exclusive rights to an 0day (to prevent it getting leaked and patched), sometimes they don't.

On the other, less sketchy, side of things, there are companies that do more or less the same thing. They do the same kind of vulnerability research, but a lot of the time it's on behalf of the company whose product they're trying to hack, or possibly a government organization. They don't usually go through middlemen; they just work directly with the government or company. They can't and don't do anything obviously illegal, which limits the amount of stuff they can make, but obviously sticking to legal activities has its benefits. Sometimes legality is a little fuzzy, but these groups try to tread lightly.