From a business standpoint, how would you express the need for a vulnerability research team?
In the end, would it be infeasible from a business standpoint unless said business chalked it up as a marketing cost (to promote other services) or sold the vulns?
SCENARIO
Imagine working at a fortune 500 company that provides infosec products and has multiple clients.
Every time there's a new CVE out, they create snort rules and implement them.
AFAIK the only selling point would literally be selling any vulnerabilities found and using the rest as internal advisories (like Cisco Talos).
However, with opportunity cost it would be cheaper for the researchers to bughunt on their own time. For example, if fuzzing for an OSX/iOS vuln, it would be cheaper to do it in one's spare time and get the full X amount, rather than a lesser amount in salary and maybe 20-50% of the value of the vulnerability as a bonus.