Learning exploit dev and vulnerability research on browsers and operating systems (like Project Zero’s work) is really difficult, and ends up being mostly self-taught. One good entry point into this role for people early in their career, though, is NSA’s development programs, especially CNODP and C2DP.