Typically they don’t. There are teams of researchers who have multiple engineering degrees whose only job it is to find previously undisclosed vulnerabilities. They are paid what is called a ‘bug bounty’. These are programmers and engineers with intimate familiarity with how software works, how operating systems manage low level memory operations, and how all the corresponding protocols work. The image of a lone basement dwelling hacker able to outsmart teams of engineers is inaccurate. And no, Abby Shuto couldn’t just access a database after typing a few buttons.

What is more likely to happen is that a patch is released by a manufacturer. When that happens the time to exploit kit is only a few days. That is because when the manufacturer releases the patch, the flaw becomes obvious, they are essentially releasing directions on how to exploit their flaw. Exploit kits (something legitimately used by spy groups and law enforcement agencies) are not difficult to come by and their operation, while confusing to a normal user, are far easier to use than attempting to find a previously undisclosed flaw.