The companies that sell this kind of product aren’t doing it as a side hustle. It’s not like “oh, well yea, Atlassian mostly sell Jira but also they have a team farming viable iPhone data extraction vulns.”

If you were working with one of these companies, you’d know it because it’s their primary/only product/focus.

Which is still interesting. I'm not sure why people won't name these companies. tptacek says it's not interesting, but that's pretty obviously not true. Why won't people name these companies? If they're so insulated from normal commerce, and so specialised that they only provide these services, it shouldn't really matter if anyone knew who they were. They're companies. Unless they're obviously engaged in actually illegal activities (which they may well be, but it's currently not possible for me to determine that) they shouldn't be taboo to discuss. I find it weird that people want to claim "oh yeah, they definitely exist, trust me bro, they're all really secretive, but also totally legit" but they won't mention any names.

I can only assume that there are actually some industry or professional repercussions for disclosing any specifics, because otherwise the only other logical explanation for such tight lipped discussion is that people are somewhat afraid to talk about these companies.

Also, Google, Apple, Microsoft, Meta probably have some of the most respected vulnerability research labs in the world. They, despite their many and varied other flaws, tend not to weaponise and profit from said research. I mean, they might, but they also do a pretty good job of actively and responsibly publishing this research.

Are you a security agency for some sovereign state in the world? Then you already know who they are. Otherwise: you're not a customer.