What are the different specialties in exploit development/research

I noticed that most exploit development online resources are about fuzzing and exploiting different flavors of buffer overflow. The problem with that is that most CVE are not necessarily related to buffer overflow.

So my question is : are they specialties in exploit research and development ?

The answer of that question will help in knowing how to go and learn a specific topic

For instance, CVE-2021-3156 is buffer overflow while CVE-2021-22986 is not. Does it mean a researcher will spend his time on a dedicated platform and look for a specific type of vulnerability ?

For instance

  • Research A mostly looks for BOF in Unix system apps
  • Research B mostly looks for BOF in Apache Web server
  • Research A mostly looks for whatever web vulnerability F5 BigIP admin interface