There's a thriving global market for software vulnerabilities that most people never see. Zero-day exploits — vulnerabilities unknown to the vendor — are bought and sold for anywhere from $5,000 to $2.5 million, depending on the target and the impact.
Understanding this market changes how you think about security.
What Is a Zero-Day?
A zero-day is a vulnerability that the software vendor doesn't know about and hasn't patched. The name comes from the fact that defenders have had "zero days" to prepare a defense.
Discovery
Researcher or attacker finds a vulnerability in widely-used software
Decision
Sell it, report it, or exploit it? The economics drive the decision.
Use
Depending on the buyer: espionage, cybercrime, or defensive patching
Patch
Eventually discovered and patched — but the window can last months to years
The Price List
Zero-day pricing depends on the target, the impact, and the buyer:
$2.5M
iOS Full Chain
$1M
Android Full Chain
$500K
Chrome RCE
$300K
Windows LPE
| Target | Bug Bounty Payout | Broker Price | |---|---|---| | iOS zero-click RCE | $2M (Apple) | $2-2.5M | | Android full chain | $1M (Google) | $1-1.5M | | Chrome sandbox escape | $250K (Google) | $400-500K | | Windows privilege escalation | $100K (Microsoft) | $200-300K | | Enterprise VPN RCE | $10-50K | $200-500K | | WordPress RCE | $5-25K | $50-100K |
ℹ️The Gap
Notice the gap between bug bounty payouts and broker prices. This gap is the fundamental challenge of vulnerability economics — it's often more profitable to sell to a broker than to report responsibly. The gap is narrowing as companies increase bounties, but it still exists for high-value targets.
The Three Markets
Zero-Day Market Ecosystem
White market (defensive)
Bug bounties, responsible disclosure, vendor security programs. Researchers report vulnerabilities to vendors for bounties and recognition. Payouts: $500 to $2M+.
Gray market (government)
Exploit brokers like Zerodium, Crowdfense, and government contractors. They buy exploits and sell to intelligence agencies and law enforcement. Payouts: $50K to $2.5M.
Black market (criminal)
Underground forums, encrypted channels, and direct sales. Exploits sold to cybercriminal groups, APTs, and ransomware operators. Prices are opaque but can match or exceed gray market rates.
Who Finds Zero-Days?
What This Means for Your Security
1. You Are a Target
If your application has users, data, or money, someone has an economic incentive to find vulnerabilities in it. The question isn't whether vulnerabilities exist — it's whether you find them before someone else does.
2. The Attacker's ROI Is Positive
Attacker Economics
- •Find one vulnerability to succeed
- •Can focus on the weakest point
- •Automated tools scale to thousands of targets
- •ROI is immediate upon exploitation
Defender Economics
- •Must defend every vulnerability
- •Must secure the entire attack surface
- •Manual testing doesn't scale easily
- •ROI is measured in incidents avoided
3. Time Is the Critical Factor
The window between vulnerability discovery and patching is when you're most at risk:
Vulnerability introduced
A developer writes a bug. Clock starts. Average time in codebase before discovery: 6-18 months.
Vulnerability discovered
Someone finds it — researcher, attacker, or automated tool. If an attacker finds it first, exploitation begins immediately.
Vendor notified (if responsible)
Researcher reports to vendor. Typical patch development time: 30-90 days.
Patch released
Vendor ships a fix. But deployment takes time — many organizations are weeks to months behind on patches.
Patch deployed
Your systems are finally safe. Total exposure window: potentially 6 months to 2+ years from when the bug was introduced.
4. AI Changes the Equation
AI is rapidly changing vulnerability discovery:
- Fuzzing at scale — AI-guided fuzzers find crashes and edge cases faster than traditional tools
- Pattern recognition — ML models trained on known vulnerabilities can identify similar patterns in new code
- Automated exploitation — AI can chain findings and generate proof-of-concept exploits
- Continuous testing — AI doesn't sleep, doesn't get fatigued, and can test 24/7
⚠️The Double-Edged Sword
The same AI capabilities that help defenders find vulnerabilities also help attackers. The organizations that adopt AI-assisted security testing first have a significant advantage — those that don't will face AI-powered attacks without AI-powered defenses.
Practical Takeaways
- Assume vulnerabilities exist — Your code has bugs. The question is whether you find them first.
- Reduce the window — Faster testing cycles mean shorter exposure times
- Layer your defenses — Combine automated scanning, expert testing, and bug bounties
- Monitor continuously — Detection is the next best thing to prevention
- Adopt AI-assisted testing — The economics favor automation. Use it before attackers do.
Don't wait for someone else to find your vulnerabilities. Start with automated AI scanning for continuous coverage, or request an expert review for comprehensive testing.