We all know it happens, but it is rarely exposed as clearly as Adam Pennenberg did in his article for Fast Company, The Black Market Code Industry. It turns out that this 0day seller was an HP employee:
According to the consultant who snared Marester, his quarry's skills appear quite sophisticated. His wares, if they performed as advertised, could help a hacker take down machines running that particular software anywhere in the world. His real name is Steve Rigano; he's a self-employed network consultant from Grenoble, France, who works full time at HP, where he is listed in the switchboard and maintains an hp.com email address. He told me that he saw nothing wrong with offering tools and techniques that targeted the company providing his paycheck.
A self-taught hacker, Rigano says he discovered the vulnerabilities and coded the exploits on his own time, which he says is none of HP's business. "I have the right to sell what I want," he says. He told me he attracted mostly Chinese and Russian buyers, but claimed he never found takers for the HP or SAP "vulns" and exploits. He said he stopped selling black-market code in January but didn't explain why.
Most security companies I have been acquainted with frown on this type of activity, as I am sure HP has. It's hard for them to sell security products and services when their employees are selling the very tools the company is purportedly defending against.
[Update 7/7/2008: The information in the Fast Company article is being disputed by Steve Rigano. He has notified us that he has taken legal action against Adam Pennenberg and Fast Company.]