Interesting stuff. Russian developers of MPack interviewed:
How do you get the exploits for MPack? Do you buy them?
For our pack, there are two main methods of receiving exploits: The first one is guys sending us any material they find in the wild, bought from others or received from others; the second one is analyzing and improving public reports and PoC (proof-of-concept code).
We sometimes pay for exploits. An average price for a 0-day Internet Explorer flaw is US$10,000 in case of good exploitation.
Is the project profitable?
The project is not so profitable compared to other activities on the Internet. It's just a business. While it makes income, we will work on it, and while we are interested in it, it will live.
Of course, some of our customers make huge profits. So in some ways, MPack could be looked at as a brand-name establishment project.