[fragmede]

Why the distinction?

Security researchers are in high demand right now and with good reason - a competent security researcher can write an exploit given a limited amount of information, and I find it unlikely MS themselves necessarily has exploit code for all situations.

A competent security researcher should be able to go from this diff: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g... to full exploit code in a day. An afternoon, even.

I bring this up because there's nothing particularly magical about writing exploits, even if it isn't a skill a ordinary programmer possess. If the vulnerability has already been found, so whether or not this is simply MAPP/CIPP or something more nefarious, your distinction seems a bit academic.