A zero-day is a vulnerability the software vendor does not yet know about. The name comes from the vendor having had zero days to fix it. As long as it stays secret, anyone who holds it can exploit it against fully patched, up-to-date systems, because there is no patch to apply. That secrecy is exactly what gives a zero-day its value, and it is what the market is built to preserve.
The defender's whole model assumes that bugs get found, reported, and fixed. The zero-day market inverts that assumption for the highest-value bugs. Instead of flowing to the vendor to be patched, they flow to buyers who want them to remain unpatched and usable. Understanding the incentives explains a lot about why your phone is both remarkably hard to hack and never quite safe from a well-funded adversary.
Three Markets, Not One
It helps to separate the trade into three distinct channels, because they have different rules and different ethics.
- The defensive market. Vendors run bug bounty programs that pay researchers to report flaws so they can be fixed. Apple, Google, Microsoft, and many others pay published rates. The bug dies when it is patched.
- The gray market. Brokers and exploit-acquisition firms buy working exploits and resell them to government clients for intelligence and law enforcement use. The bug stays alive deliberately. This is where firms like Zerodium operated publicly, posting price lists.
- The black market. Criminal trade in exploits and access, used for fraud, ransomware, and theft, conducted on forums and through private deals.
The same vulnerability could in principle be sold into any of these. What determines where it goes is mostly price and the seller's appetite for risk and conscience.
Why the Defensive Market Cannot Win on Price
This is the structural problem at the heart of the trade. A vendor paying a bug bounty is buying the bug once, to delete it. A government buying the same bug is buying a capability, to use repeatedly against targets, for as long as it survives. Those two buyers value the same object completely differently, and the government's valuation is almost always higher.
The defender pays to make a bug worthless. The offensive buyer pays to keep it valuable. The second motive supports a far higher price, which is why the most powerful exploits rarely reach a bug bounty.
Bug bounty programs have raised their payouts substantially over the years, and that genuinely pulls some researchers toward disclosure. But for a full zero-click chain against a flagship phone, the gray-market price has consistently outrun what any vendor pays. The market clears in favor of secrecy for the most dangerous bugs.
Prices scale with how hard the target is to hack and how reliable the exploit is. A zero-click chain against the latest mobile OS sits at the top because it defeats every layer with no user action. A bug that needs the target to install something is worth far less, because cheaper attacks already achieve that.
The Brokers and Vendors
A few firms have made the gray market visible. Zerodium published a public price list for years, openly advertising payouts for exploits in major platforms and naming the categories it wanted. Other companies, including the spyware vendors behind tools like Pegasus and Predator, acquire or develop exploits to power the surveillance products they sell to states. The connection is direct: the mercenary spyware industry is a primary consumer of the zero-day market.
There is also the question of governments buying directly. Intelligence agencies maintain their own exploit development and acquisition. The 2017 leak of stolen NSA tools, which led to the WannaCry and NotPetya outbreaks, demonstrated the downside of an agency stockpiling exploits rather than reporting them: when the stockpile leaks, the same capabilities turn on the public.
The Equities Problem
When a government finds or buys a vulnerability in software its own citizens use, it faces a genuine dilemma. Keeping the bug secret preserves an intelligence capability. Disclosing it to the vendor protects the millions of ordinary users running the same software. You cannot do both, because using a bug requires it to stay unpatched, and patching it ends its usefulness.
In the United States this trade-off is formalized as the Vulnerabilities Equities Process, a review that decides whether to retain or disclose a given flaw. Critics argue it leans toward retention and lacks transparency. The deeper point is that the dilemma is real and unavoidable: every retained exploit is a bet that no one else will find the same bug and use it against the people the government is supposed to protect. Bug collisions, where two parties independently discover the same flaw, mean that bet is not always safe.
What This Means for You
The market explains why patching is the single most effective routine defense available, and also why it is not a complete one.
| Reality | What follows for you |
|---|---|
| Most attacks use known, patched bugs | Updating promptly closes the vast majority of real-world risk. The criminal market relies heavily on people who have not patched. |
| Zero-days are scarce and expensive | They are spent on high-value targets, not used broadly. If you are not specifically targeted, this part of the market is unlikely to touch you. |
| Attack surface drives price | Reducing what your device exposes (fewer apps, hardened modes) raises the cost of attacking you and shrinks the relevant bug pool. |
| Reliable exploits are perishable | Every patch can kill a million-dollar capability. Vendor update cadence directly degrades the offensive market over time. |
Why It Connects to Honest Security
The zero-day market is a useful corrective against absolute claims. Any product that tells you it is unhackable is ignoring an entire economy of people whose job is to prove otherwise. The honest position is that security is a moving cost curve. You cannot make attacks impossible, but you can make them expensive, perishable, and narrowly targeted rather than cheap and broad.
That is the lens we build with at Haven: open, auditable protocols so flaws can be found and fixed by anyone rather than hoarded, prompt response to disclosure, and a refusal to claim invulnerability we cannot deliver. The market for secret bugs is real. The best answer to it is software whose security does not depend on its bugs staying secret.