AFAIK most have exploits ready before the event, and demonstrate them publicly (for the first time) at the event.
In general, skilled crackers/reverse engineers/security experts will look for new bugs -- and when found, can either a) Tell the vendor, b) Tell the world, c) Sell the exploit to the highest bidder, or d) Use the exploit for nefarious purposes themselves.
In general some combination of a) and b) or c) is the most common -- these events is a way to compensate people to do a) and b) -- and provide some incentive to avoid c) (and d)).
In general, skilled crackers/reverse engineers/security experts will look for new bugs -- and when found, can either a) Tell the vendor, b) Tell the world, c) Sell the exploit to the highest bidder, or d) Use the exploit for nefarious purposes themselves.
In general some combination of a) and b) or c) is the most common -- these events is a way to compensate people to do a) and b) -- and provide some incentive to avoid c) (and d)).