[3pt14159]

There is an offensive security conference called Infiltrate that has videos floating around that you can find online. Finding 0days in constantly attacked stuff like Windows is getting harder, but the tools these guys are building are getting more complex / interesting. I'd say the bar is higher, but it's still not hard to do and some lesser known platforms like QNX are straight easy if you have some time.

Much like, say, JavaScript development the tooling and instruction is of a much higher quality and much more diffuse. If you're smart and you put in a couple of years you can do it too, and some of these vulns fetch millions, though they're frequently blown on pwn2own contests or otherwise responsibly disclosed. I suspect that that is going to change over the next couple years as every major government amps their cyberwarfare / int budgets.