The market for the sale of zero-day vulnerabilities fundamentally shifted this year and, heading into 2013, bug hunters will increasingly play by a set of new rules, vulnerability experts say. As the sale of black-market zero-day exploits continues to take off and new gray-market players make a fortune selling information about exploit techniques and unpatched vulnerabilities to corporations and nation states, vulnerability researchers are starting to pull the punches on how much public disclosure they offer about their discoveries.

In years past, researchers would freely explain their exploit techniques and methods for bypassing specific security mitigations within targeted software when disclosing a vulnerability, says Brian Gorenc, manager of TippingPoint DVLabs at HP, which through the Zero Day Initiative (ZDI) pays researchers for responsibly disclosing vulnerabilities.