Penetration testing is the common answer, though that job description can also be a bit of a euphemism.

It is also worth noting that breaking into the computer of a foreign national that is located overseas is often not a crime in the united states, or is at least considered very difficult to prosecute if it doesn't involve fraud, financial transfers or a few other hot buttons.

Fame, reputation, marketing, using 0day in pen-tests, etc.

This isn't new, security companies have been paying contractors for unpublished advisories and exploits for over 15 years now.

Well besides the vendor you mean?