How Are Zero Day Exploits Discovered When Publicly Exploited?

The post asks how zero day exploits are typically discovered when they are being publicly exploited. It inquires whether these discoveries are usually made through patterns of repeated attacks on specific firewall vendors or hardware, or through typical SOC alerts that are escalated until someone reverse engineers the exploit. The post also questions if vendors themselves or bug bounty programs are involved in these discoveries and whether the individuals who discover these exploits have deep knowledge in coding, reverse engineering malware, security research, threat intelligence, threat hunting, and IR skills.