Companies that really care about security have their own moles in the hackers groups and are able to judge in which direction is the hacker research going. They typically have enough resources to do their own research, with a good chance of discovering vulnerabilities first.