Sean Hargrave over at the Guardian seems concerned about security research firms paying hackers for exploits before they are even reported to the responsible vendor. My reaction to this issue has been: "So what, big deal".
Various vendors have made defending against so-called 0day exploits their primary differentiator. The concept is that most organizations are already well defended against known threats. Therefore, their biggest concern is being ready for the attack that comes in the night that is brand new. Couple problems here. Most organizations are *not* well protected. Look at the recent success hackers have had of infecting over 10,000 web servers with malicious Trojans.
Making your security purchase decisions based on a vendor's claims or ability to "get the exploits first" is silly. Security has moved into the somewhat more boring realm of compliance, efficiency, manageability, reliability, throughput, and effectiveness. Winning the race to the next 0day worm is not a buying criteria.
You may question the morality of a vendor paying people to discover exploits but at the end of the day it just does not matter. So what, big deal.