“Grey hat” hackers would not sell exploits, they are called grey hats because they are not looking to exploit systems for personal gain (which selling would be personal gain, something done by “black hat” hackers) but rather they have other motivations (such as doing it for fun, or to help make software more secure) *without* authorization from the owner of the system/software (hackers working with authorization are “white hat” hackers).

That said, they find stuff just like most other types of hackers, they know how computers work, they know how software works, they attempt to exploit systems in various ways…some based off older/patched stuff, others based off currently known unpatched things. To intentionally find exploits generally requires a fundamental understanding of the system you are trying to hack so you can envision possible ways to exploit that system. Sometimes things are found by accident, many times it’s the hacker knowing how a system works and attempting to subvert the security controls in place, which requires a level of critical thinking that bots are not capable of.

tl;dr – They rarely if ever use bots or brute force, it’s often targeted and intentional.