[micaksica]

Agreed. There are probably 5-25K (yes, large range, but still order of magnitude higher) people in the Bay Area alone that are capable of writing exploits.

[mseebach]

Also, there's a huge difference in the number of people capable of secretly building exploits alone in their bedrooms at night (probably committing a crime), and those building them as a day job, where you can solicit feedback and advice from peers, reference well-organised documentation and study the original source code of previously successful exploits and freely discuss ideas and approaches with colleagues over lunch.

Which of course partially challenges this assumption in the article:

The developers of the malware [..] were discovered and not trained.

[lawnchair_larry]

people capable of secretly building exploits alone in their bedrooms at night (probably committing a crime)

No, that isn't how exploit research works. I don't understand why one would think that writing exploits is associated with being a criminal.

[mseebach]

Research, no, but turning it into malware is.

[lawnchair_larry]

Do you consider exploits to be malware? If so, then no, you couldn't be more wrong.