Security and vulnerability tracking companies' reactions were more dramatic: they immediately raised alert levels, both because the flaw was an unpatched "zero-day" bug, and also because exploits were already out and about. Danish security company Secunia, for instance, tagged the new flaw as "Extremely critical," its highest warning; Symantec, meanwhile, gave it a rating of 9.4 on its 10-point scale for vulnerability alerts.
—Gregg Keizer, "Attackers Exploit New Zero-Day Windows Bug," InformationWeek, December 28, 2005

Some vendors say they're doing the industry a service by paying others to uncover vulnerabilities, presumably removing software bugs. I agree it's a good thing not to have researchers posting harmful zero-day exploits on the Internet without giving the affected vendor time to address the issue. I also agree it's a good idea for security vendors to collect zero-day information so they can provide preemptive protection capabilities to their products. But these ends are better achieved through controlled research within reputable and established security research organizations.
—Christopher Rouland, "It's NOT ethical for security companies to buy vulnerability information," Network World, September 12, 2005

"Hackers raise the bar for security and find holes that wouldn't otherwise be found," said Kent Browne of Condemned.org, a group of volunteer hackers that target child pornography sites. Browne said even the best intrusion detection tools identify only about 50 per cent of these exploits. The so-called zero day exploit list, which is circulated between elite hackers, features a minimum of 100 fresh vulnerabilities a week, he claimed.
—"'We're the good guys' claim hackers," VNU Newswire, April 13, 2000