The Underground Economy of Zero-Days Is Getting Out of Control

A zero-day vulnerability — an unpatched security flaw that vendors don't know about — is worth serious money. In 2026, the prices are eye-watering. Major intelligence agencies will pay $2-5 million for high-quality zero-days affecting widely-used software. Private companies are competing in the same markets. This economic dynamic is reshaping cybersecurity.

The Zerodium platform acts as a middleman, collecting zero-days from independent researchers and hackers, then reselling them to government and corporate buyers. A working Chrome zero-day might fetch $1 million. A Windows kernel exploit could be worth $2-3 million. For researchers with the skills to find these vulnerabilities, it's an attractive alternative to responsible disclosure (reporting vulnerabilities to vendors).

This creates perverse incentives. Why responsibly disclose a vulnerability if you can sell it for millions? The security community worries this incentivizes hoarding: hackers find exploits and sell them rather than disclosing them, meaning vulnerabilities persist in software longer. The NSA and other intelligence agencies justify zero-day purchases as necessary for national security, but the practice keeps important security patches from being released.

Some researchers argue that higher bug bounties from companies like Google and Microsoft (now offering $1-3 million for some exploits) can compete with underground markets. But the fundamental economics remain: sophisticated hacker operations are well-funded by zero-day sales. Understanding this market is key to understanding modern cybersecurity threats.