The business is booming, The New York Times reported.
On the European island of Malta, Luigi Auriemma, 32, and Donato Ferrante, 28, operate their own hacking company, ReVuln, but the pair won't reveal the names of their clients.
A few years ago, hackers like Auriemma and Ferrante would have sold the details of the flaws to companies like Microsoft and Apple, and the companies would have fixed them.
Although the companies have recently increased how much they are willing to pay for the information, they are being outbid by countries who wish to exploit the flaws, the Times said.
Connected middle-men market the information to governments in exchange for a 15 percent cut.
"Governments are starting to say, 'In order to best protect my country, I need to find vulnerabilities in other countries,'" Howard Schmidt, a former White House cybersecurity coordinator, said. "The problem is that we all fundamentally become less secure."
The United States is a big buyer of the information, the Times said, but Israel, Britain, Russia, India and Brazil are some of the other big spenders.