In 2024, a zero-day exploit for Apple iOS was worth up to $2.5 million on the legitimate broker market. A Chrome full-chain exploit fetched $500,000. An Android remote code execution: $2.5 million. These prices reflect a stark reality — software vulnerabilities are commodities, traded in a marketplace with its own supply chains, brokers, and pricing dynamics.
The Three Markets
Vulnerability trading operates across three distinct markets:
- White market: Bug bounty programs and vendor disclosure. Google pays up to $250,000 for critical Chrome bugs. Apple's maximum bounty is $2 million. These are the lowest payouts for the same vulnerabilities.
- Grey market: Government contractors and brokers like Zerodium openly publish price lists for exploits, purchasing them for intelligence agencies and law enforcement. Prices are 10-50x bug bounty payouts.
- Black market: Criminal forums and private channels where exploits are sold to the highest bidder. No rules, no disclosure timeline, no ethics review. Prices rival or exceed the grey market for high-value targets.
Why Prices Keep Rising
Zero-day prices have increased 5-10x over the past decade. The drivers are straightforward:
- Better defences mean scarcer supply: Sandboxing, memory safety, and exploit mitigations make finding reliable zero-days harder. Scarcity drives price.
- Government demand: Nation-state offensive cyber programs have growing budgets and insatiable appetites for access capabilities.
- Attack surface expansion: More connected devices, more software, more cloud services means more buyers with specific targeting needs.
- Exploit chain complexity: Modern exploits often require chaining multiple vulnerabilities, increasing development cost and therefore market price.
The Implication for Your Security Strategy
Here's the counterintuitive truth: zero-days are almost certainly not your biggest risk. The economics make this clear. A zero-day exploit costing $500,000+ is reserved for high-value targets — government agencies, defence contractors, major financial institutions. Attackers are economically rational. They won't burn a half-million dollar exploit on a target they can compromise with a known CVE or a misconfigured server.
For the vast majority of organisations, attacks use:
- Known vulnerabilities in unpatched software (cost: free)
- Misconfigurations in security headers, CORS, and TLS (cost: free)
- Credential stuffing with breached password databases (cost: pennies per credential)
- Phishing campaigns enabled by missing email authentication records (cost: minimal)
The Cost-Effectiveness of Hygiene
The security measures that block these commodity attacks are nearly free to implement: proper security headers, current TLS configuration, SPF/DMARC records, cookie security attributes, and keeping software updated. Each one closes an attack vector that threat actors use daily against millions of targets.
The economics are clear: attackers follow the path of least resistance. A site with hardened headers, proper TLS, and authenticated email forces attackers to escalate to more expensive techniques — or move on to an easier target. This is the asymmetry that works in your favour.
Vulnerability as a Spectrum
Thinking in terms of zero-days vs. no zero-days misses the point. Every website sits somewhere on a vulnerability spectrum, from "trivially exploitable with free tools" to "requires significant investment to compromise." The goal isn't to be unhackable — it's to not be the low-hanging fruit.
ShieldReport moves your domain up the security spectrum by identifying the configuration weaknesses that make you an easy, inexpensive target — the kind of issues that automated attack tools find in seconds.