What Is a Bug Worth?

Section 0Executive Summary

Section 1What Is Actually Being Priced

Most arguments about exploit value are arguments about different things. The pricing object — the thing the buyer pays for — is rarely the bug. Four distinct objects circulate through the market, and most published prices conflate them.

Once the four objects are separated, several long-running disputes resolve. Bounty payouts and broker prices are not "the price of an iOS bug"; they are prices on different objects with different liquidity, exclusivity, and buyer obligations. A Five-Eyes contract is not paying for a chain — it is paying for maintained access through the chain's degradation curve. A ransomware affiliate is not buying a defect — they are buying access, and they will pay for stolen credentials, an n-day, or a 0-day with equal indifference if the operational outcome converges.

The great-power frame sharpens the taxonomy. The March 2025 DOJ indictment of i-Soon documents pricing on a different pricing object than Western broker price sheets: $10,000 to $75,000 per compromised email account. That is access pricing, and it is what the PRC end customer was actually paying for — not chains, not exploits, not defects. The 2024 i-Soon leak put a comparable line item on the wire: roughly $55,000 to compromise the Vietnamese Ministry of the Economy. When the same firm priced individual MPS contracts in the low- to mid-six-figures and brokered "tens of millions" in revenue from MSS and MPS bureaus, the underlying object was always operational outcome, never bug. Western analyses that treat the Chinese market as an opaque mirror of the Western broker tier miss that the pricing object itself is different.

A second conflation runs orthogonal to the pricing object: the gap between an advertised offer and a realised sale. Two ex-brokers have now put first-hand numbers on the intermediary's cut. Maor Shwartz, who founded the brokerage Q-recon, disclosed his firm's fee schedule on stage at Black Hat 2019 — 17% from companies, 15% from governments — paid with no advance: a percentage on validation (a ~14-day window), the remainder split over three to six months, deals under $100K settled only after the exploit checks out. "The grugq," the independent middleman behind the canonical 2012 Forbes price chart, reported the same ~15% commission — and that roughly 80% of his revenue came from US buyers "because they pay more." That ~15–17% wedge, stacked on the offer-vs-sale discount the Williams case exposes (an advertised $20M ceiling against a $162K-per-exploit clearing price), is why a broker's published sheet is a bounding curve, never a transaction record.

This is the foundation. Every later section is about which object is priced, by whom, against what alternatives, and over what time horizon.

Section 2The Forces That Set Value

Five forces shape what a buyer will pay for any of the four pricing objects above. They are not weights in a tidy multiplicative formula — they interact, dominate one another at different points in the bug lifecycle, and respond to second-order pressure from substitutes. They are the language of valuation.

1. Maintenance — the hidden TCO variable

This is the insight Mark Dowd has been hammering since OffensiveCon 2022, and it remains the most under-priced variable in public discussion of the marketplace.

Total cost of ownership for an offensive capability is discovery plus development plus ongoing maintenance. Most external valuations count only the first two. On hardened T1 targets the third dominates the first two combined within 12-18 months of the chain reaching production. This is why "asking price" headlines mislead: a $7M chain that requires $200K/month of maintenance has an entirely different unit economics than a $7M chain that needs occasional touch-ups.

2. Time decay

Vulnerabilities are wasting options. Their value decays as exposure, patching, and detection close in. The decay curve is not smooth. It is shaped by the patch cadence of the target (monthly for Android, a few weeks for Chrome's stable channel, irregular for many enterprise products) and by the appearance of competing capabilities. The 2025 RAND data — still the cleanest empirical work on stockpile dynamics — found median latent life around 6.9 years with a collision rate of 5.7% per year, but those numbers are from a 2017 dataset and almost certainly overstate residual lifetime in 2026 conditions.

Time decay under great-power pressure: Recorded Future and SentinelOne LABScon analyses found that CNNVD beats NVD to publication 43% of the time on average — but only 3% of the time when a vulnerability is being actively exploited by Chinese APT groups, and CNNVD has retroactively altered 267 publication dates to obscure the MSS evaluation window. The decay curve in China is artificially extended by deliberate disclosure-timing manipulation.

The directional shift: while China's adversarial mirror is operating at full capacity, the US side of the same infrastructure has been hollowing out. On February 13, 2024 NIST publicly acknowledged a "growing backlog" of unanalyzed CVEs in the National Vulnerability Database and announced it would stop fully enriching incoming submissions, citing resource constraints. By mid-2024 the backlog was widely reported in the tens of thousands. CISA stood up the Vulnrichment ADP container in May 2024 to fill the gap, and in April 2025 had to scramble to extend MITRE's CVE Program funding after a contract lapse threatened the entire CVE numbering authority. The asymmetry is the load-bearing point: at the same moment the PRC's CNNVD continues to operate as a state-controlled vulnerability funnel that grants MSS first refusal on disclosed bugs, the US-led centralized infrastructure has been partially decommissioned, federated across CISA / MITRE / private CNAs, and forced into emergency funding mode. Western analyses that assume symmetric decay across actors mis-price the Chinese capability lifecycle — and the Western system that historically anchored the comparison is no longer reliably doing so.

3. Detection — the attribution tax

A burned exploit is not just worthless — it is negative-value. It exposes attribution chains, leaks technique, retires similar capabilities by signature, and creates diplomatic friction. Dowd's 2026 update reinforced this with a sharp methodological point: vendor "Lockdown Mode prevented X attacks" claims are silly because operators select capability against observed defenses; if a target runs Lockdown Mode the operator deploys something else, not the same payload.

4. Substitution

The 0-day is rarely the only path to the operational effect. The substitution set includes n-days, stolen credentials, supply chain compromise, insider recruitment, telecom interception, cloud-account takeover, and increasingly social engineering at scale. Mandiant's M-Trends 2025 found stolen credentials had moved up to the second-most-common initial access vector at 16% of investigations, behind only exploits at 33%. Verizon's 2025 DBIR reported 22% of breaches across 12,195 incidents involved credential abuse. The exploit-or-nothing framing is a category error; rational buyers price chains against the cheapest substitute.

5. Conversion

Conversion is the gap between holding a defect and producing the operational outcome. It encompasses chain assembly, OPSEC, deployment infrastructure, target reconnaissance, and the human operator's tradecraft. Two buyers holding the same defect may extract radically different value because their conversion machinery differs by orders of magnitude. This is why state-direct prices look high in the abstract and reasonable in context: the price is paying for a capability that ships into a conversion pipeline costing tens of millions to maintain.

Burn discipline differs by regime. The Atlantic Council's DeSombre Bernsen documents that "truly burning a capability is much rarer in China." The PRC system runs an "A-team to D-team cascade": elite teams use a vulnerability first, and the same exploit is then handed down to subsequent tiers of operators, often after the initial use is detected. The Microsoft Exchange 2021 case is the canonical example — one Chinese APT group exploited the vulnerability two days before disclosure to Microsoft; multiple other Chinese groups began exploiting it en masse within twenty-four hours of the public patch. In Western procurement, "burning" a capability is a discrete, costly event that operators avoid by selecting capability against observed defenses. In the Chinese model, the burn is amortised across many operators. The economics are not comparable.

Section 3The Buyer Economy

Seven actor models pay different prices for the same technical artifact. They differ on what object they buy, how they price substitutes, what maintenance they tolerate, and what obligations they impose. The taxonomy is not exhaustive — it is the minimum disambiguation needed before any "what is the price" question makes sense.

Two structural notes from the 2026 Dowd interview tighten this taxonomy. First, the top-tier offensive market is gated by trust networks, not procurement — a fact that materially affects how policy proposals around "lawful hacking" should be modelled.

Second, the market boundary is wider than "exploit pricing." Effect-based buyers may route demand into cloud abuse, telecom interception, or sister-company services that produce the same operational outcome.

Section 4The AI Inflection

AI is the largest live variable in vulnerability economics. It changes the time axis on both sides simultaneously. Three forward-leaning claims dominate the discourse; each gets a steelman and a counter.

Dowd's framing of why the asymmetry holds is worth quoting at length:

FOSS supply-chain qualifier: the C5 thesis assumes a vendor architecture where a merged pull request becomes a shipped patch within a release cycle the vendor controls. Most of the world's exploitable code does not live in that architecture. Open-source dependencies travel through maintainer review (often a single unpaid individual), upstream release, distro repackaging, container-image rebuild, transitive-dependency resolution, and downstream consumer adoption — a chain measured in months to years rather than weeks. AI does not compress that chain; if anything, it pulls it the wrong direction by lowering the cost of malicious or low-quality contributions to under-resourced projects. Three live cases anchor the asymmetry:

xz-utils (CVE-2024-3094, March 2024). "Jia Tan" spent roughly three years building maintainer trust on a critical compression library before merging a backdoor into builds destined for systemd-linked SSH; the CISA advisory documents the social-engineering pressure campaign on the original maintainer Lasse Collin, who was openly burned out and looking for a co-maintainer. Andres Freund caught the backdoor accidentally via a SSH-handshake performance regression. Russ Cox's forensic timeline traces the operation. Log4Shell (CVE-2021-44228, December 2021). Sonatype's 2024 State of the Software Supply Chain reports that years after disclosure, vulnerable Log4j versions are still downloaded approximately one in eight times the package is requested. AI does not fix the millions of unmaintained applications still pulling them. Polyfill.io (June 2024). A domain-takeover after the original maintainer sold the domain to a Chinese-registered entity; the SanSec analysis documents over 100,000 sites compromised, including Hulu and JSTOR. The patch was "stop using polyfill.io," but downstream removal took weeks for sophisticated buyers and is still incomplete elsewhere.

The structural point: the FOSS supply chain is the exact inverse of the managed-vendor ecosystem the C5 thesis describes. Authority is decentralized, maintainer capacity is the binding constraint, downstream propagation is unowned, and trust is built socially rather than contractually. The Linux Foundation's Census III documents that a small number of critical packages have one or zero active maintainers. AI raises the floor for attackers in this ecosystem (cheap PRs, cheap social engineering, cheap fuzzing of obscure dependencies) without raising it commensurately for defenders, because there is no vendor budget to spend the AI tailwind on. Great-power competition compounds the problem: PRC-affiliated maintainer pressure (the Linux kernel "hypocrite commits" controversies, Huawei contribution patterns) and Russia-aligned maintainer departures (the 2024 Linux kernel patch removing Russian-affiliated maintainers) are now structural risks. The defender tailwind is real where it lands; the FOSS supply chain is exactly the segment where it does not.

The AI inflection is also producing a second-order externality that does not show up in price data: vendor guardrail policy is becoming a chilling effect on defenders, not just researchers. Dowd's framing is sharp on this:

The market-power asymmetry between frontier AI vendors and security practitioners is shaping what counts as "responsible" before the empirical question of marginal harm has been settled. This is a missing externality in any "AI is net-defensive" model.

The China-side AI picture is asymmetric

The defender-tailwind framing rests on a Western-centric reading of who has the AI. China's offensive cyber program is already deeply integrated with AI institutions and runs without the guardrail tax. Three concrete observables anchor this:

Huawei's HULK Robot. Margin Research's Watching the Watchers analysis found Huawei's automated bug-finding system was credited with around 25% of the bugs fixed in Linux 5.4 and 15% of the bugs fixed in Linux 5.10, contributing roughly 1,689 patches in their 2021 dataset — about three times the volume of the open-source Syzbot. Margin's structural concern is that Huawei tests fixes on its openEuler distribution before upstreaming, opening a window in which the bug is known to the Chinese ecosystem but not yet patched in mainline Linux.

DeepSeek as Chinese cyber capacity input. CSIS and Reuters reporting documented DeepSeek's V3 (December 2024) and R1 (January 2025) reaching near-frontier reasoning performance on nominally export-compliant H800 silicon, with a senior US State Department official confirming DeepSeek's references in 150+ PLA procurement records. NIST CAISI's September 2025 evaluation found DeepSeek agents roughly twelve times more likely than US frontier models to be hijacked into malicious instruction-following — phishing, malware execution, credential exfiltration. Cisco's red-team evaluation found DeepSeek failed to block any harmful prompt in their representative set, where GPT-4o blocked 86%.

Civil-military fusion AI labs. CSET's Academics, AI, and APTs identified six Chinese universities (including Harbin Institute of Technology, Shanghai Jiao Tong, BUPT, and Sichuan University) running AI labs that have direct relationships with state-aligned APT groups. Under the 2017 Civil-Military Fusion framework and the 2017 National Intelligence Law (Article 7's universal duty to support intelligence work), commercial AI tooling flows into state cyber programs without the contractual ceremony Western firms require.

The asymmetry is the operative point. The Western defender-tailwind argument assumes vendors will use AI to ship class kills faster than offensive operators can find new chains. The China-side picture is that offensive operators have access to AI tools that ship without guardrails, run on Chinese hardware that Western export controls have failed to fully constrain, and feed a state pipeline that imposes mandatory disclosure within forty-eight hours. The defender tailwind exists in the West; the offensive tailwind exists everywhere else. Whether the former wins on net depends on which side's tailwind is structurally larger — and that is now an open question rather than an obvious one.

Section 5The Cost Curve Crossing

Dowd's 2022 keynote argued that for hardened tier-1 targets the cost curve was approaching an inflection: it was becoming more expensive to attack than to defend. Three years later that thesis is testable against shipping evidence. The deeper question, however, is the mechanism: why does the curve cross? The answer is not just that mitigations get cheaper. It is that the rate at which different actors independently find the same bug is rising — and rediscovery rates are the load-bearing variable behind every other claim in this paper.

Rediscovery: the collision-rate constraint

Trey Herr, Bruce Schneier, and Christopher Morris's "Taking Stock: Estimating Vulnerability Rediscovery" (Belfer Center, 2017, revised October 2017) is the foundational empirical work on this question, and its findings reshape every economic model that depends on bugs being privately retained. Herr et al. analyzed disclosure records across Chrome, Firefox, Android, and OpenSSL and found an aggregate annualized rediscovery rate of 12.7%, ranging from 10.8% for Chrome (2009-2017) to 21.9% for Android (2016-2017), with revised Firefox at 14%. For Chrome and Android, more than 60% of all rediscovery occurred within a single year. OpenSSL was an outlier at 3.4%, but on a small sample (57 bugs, 2 duplicates) the authors flagged as low-N.

The Herr findings sit in direct tension with RAND's 2017 Zero Days, Thousands of Nights, which estimated annualized rediscovery at 5.76% and under-90-day rediscovery at less than 1%. The two papers measured different populations — RAND used a small private dataset of held zero-days, Herr used public disclosure records as a proxy for discovery — but the gap is wide enough to matter. Earlier work by Ozment (2005) found 9% rediscovery on immature software; Finifter, Akhawe, and Wagner (2013) found 4.6% for Chrome alone. The policy consequence has always been the Vulnerabilities Equities Process: if rediscovery is closer to 1%, retention dominates; if closer to 22%, disclosure dominates.

For an economics paper rather than a policy paper, the consequence is more structural. Rediscovery is the rate at which any privately-held capability faces the risk of becoming worthless — not because it was burned in operation, not because it was patched in the normal cycle, but because someone else independently found it. Every other variable in this paper interacts with that rate:

• Maintenance cost (§2) is rational only if the asset survives long enough to amortise the maintenance burden. Herr's 12.7% says that, in expectation, half of any year-cohort of Android bugs is independently rediscovered within four years even with zero defender effort.
• The China A→D-team cascade (§3, §6) is a structural bet that rediscovery is low enough to amortise the same bug across multiple operators. Herr's data says the bet has a hard ceiling.
• Defensive intelligence buyers (Model G in §3) — ZDI, broker-funded VRPs — price bugs against the cost of a class kill, but the rationality of the entire model depends on rediscovery being high enough that disclosure produces a real defensive payoff.
• The bifurcation thesis (§7) is partly a rediscovery story. Premium-tier full chains have low rediscovery (novel logic, multiple obscure components, expert-only territory). Commodity bugs have rediscovery at or above the Herr rate. The middle thins because the maintenance economics work only at the rediscovery extremes.

The equities-process implication: the United States Vulnerabilities Equities Process was designed in the era when 5.76% rediscovery was a defensible upper bound. The Herr / Schneier / Morris work in 2017 made retention harder to justify on cost-of-collision grounds. The 2024-2026 AI-assisted discovery wave makes it harder still. China's RMSV regulation (§9) is the inverse: a state-mandated funnel that captures rediscovery from domestic researchers and routes it to MSS first. The two equities regimes are diverging at exactly the moment the empirical case for retention is weakening on the Western side.

The cost-curve claim, in light of rediscovery

Great-power qualifier: the cost curve crosses cleanly only for hardened-mobile and browser surfaces where the West has spent the engineering capital. It has not crossed for enterprise edge devices, telecom infrastructure, or critical-infrastructure OT. Salt Typhoon and Volt Typhoon (Section 6) both exploited the segments where Western vendors have not invested at the same rate as Apple and Google. The cost curve is geographically and sectorally uneven, and PRC operators are picking exactly the seams where Western mitigation engineering has not landed.

The mitigation soak-period dynamic

The patch-to-exploit window

Section 6Substitution and Effect-Based Buying

Effect-based buying is the most under-priced shift in the 2026 marketplace. The framing comes directly from Dowd:

Persistence as canary for effect-based buying

Persistence used to be table stakes in offensive operations. In Dowd's 2026 framing, it has been quietly demoted from feature to optional liability:

Reboot-as-defense follows from this directly. Dowd was sharp on the Triangulation case: phones reinfected every two-three days produced "a lot of opportunities for artifacts, for capturing network traffic, for doing man-in-the-middle, catching the full exploit chain." Each redeployment is a capture opportunity — an externality that scales with the target's reboot frequency.

Cloud and backend pivots

The logical conclusion of effect-based buying is that as endpoint chains get longer and more brittle, the cloud account, the telco, and the human asset become the cheaper substitute. Dowd traces the pattern explicitly:

For an economics paper this is the third axis of substitution. The first is 0-day vs. n-day (time). The second is exploit vs. credentials (vector). The third is endpoint vs. cloud-or-telco (architecture). All three operate simultaneously and interact: when MIE pushes endpoint chain prices into the eight figures, cloud account takeover at $5K from an access broker becomes the rational substitute for many operational objectives.

Salt Typhoon as substitution at strategic scale

The 2024-2025 Salt Typhoon campaign is the cleanest illustration of effect-based substitution at nation-state scale. The August 2025 CISA / NSA / FBI joint advisory, co-signed by twelve partner nations, attributed compromise of nine US telecommunications carriers (Verizon, AT&T, T-Mobile, Lumen, Charter / Spectrum, Consolidated Communications, Windstream, and two unnamed) to PRC state-sponsored actors. Senator Mark Warner (Senate Intelligence Committee Vice Chair) called it the worst telecom hack in US history. The PRC actors stole bulk call detail records on more than a million subscribers concentrated in the Washington DC metro, intercepted live calls and SMS of fewer than one hundred highly targeted individuals (including reportedly the Trump and Vance campaign principals), and — most strategically — accessed the systems used to service US lawful-intercept (CALEA) wiretap requests.

The operational outcome — access to a target's location, communications, and metadata — was achieved without endpoint exploit chains. The PRC operator substituted upstream telecom infrastructure compromise for downstream device compromise. US Treasury sanctioned Sichuan Juxinhe Network Technology in January 2025 for direct involvement in Salt Typhoon. The economics implication is that effect-based buying at the top of the market does not necessarily route through the broker market for chain-level capability — it can route through a contractor relationship that buys carrier infrastructure access. The substitution thesis is strongest at the volume-collection tier exactly when it is bounded at the boutique-chain tier (Section 7).

The companion campaign, Volt Typhoon, illustrates the substitution principle from another direction. The February 2024 CISA advisory documented PRC actors maintaining access in some US critical-infrastructure environments "for at least five years" using living-off-the-land tradecraft (wmic, ntdsutil, netsh, PowerShell) rather than custom malware. FBI Director Wray testified to the House Select Committee on the CCP in January 2024 that PRC hackers were pre-positioning to "wreak havoc" on US infrastructure and that PRC cyber personnel outnumber FBI cyber personnel by at least 50 to 1. Volt Typhoon substituted credential reuse and edge-device compromise for chain-based capability against hardened mobile targets — and the operational effect (latent disruption capability against energy, water, communications, and transportation) is, by every conventional metric, more strategically valuable than any ten iOS chains.

Section 7The Bifurcation

The exploit market is splitting along a clear seam. A premium-few tier sells exquisite full chains to sovereign customers at multi-million-dollar price points with maintenance contracts and exclusivity. A commodity-many tier sells "button" tooling to many less-technically-sophisticated customers cheaply. The middle is thinning.

The pattern is documented across multiple authoritative sources:

Dowd's framing of how this happened is mechanically clean. As mitigations stack and chains get longer, brittler, and more expensive, the producer faces a choice: serve a few customers paying top dollar, or commoditise and serve many customers cheaply.

The 0-day price paradox

The paradox resolves by decomposing chain cost. Discovery cost is collapsing — AI helps. Weaponisation cost is exploding — modern chains require five or more components where three sufficed five years ago, each independently maintained. Maintenance cost compounds with each component. The dominant cost has shifted from "find a bug" to "compose and maintain a full chain," and the latter is moving in the wrong direction for the buyer.

Section 8The Geopolitical Fork

The mobile platform threat model is fragmenting along geopolitical lines. The 2010s assumption that iOS-and-Android encompasses the strategic surface no longer holds in Asia, and the regulatory regimes around vulnerability disclosure are themselves diverging.

National-asset status creates a funding gradient that pulls security investment toward parity with Apple and Google. Western analyses that assume non-Western platforms are fish-in-a-barrel are using a 2018 mental model. The economic implication is a third axis on the cost curve: vendor sophistication is no longer a Western monopoly, and the comparative advantage in mitigation engineering may not last the decade.

HarmonyOS adoption update. Per Counterpoint and SCMP reporting, in Q2 2025 HarmonyOS reached 17% of the China smartphone market and iOS 16% — the sixth consecutive quarter HarmonyOS has surpassed iOS domestically. Caixin reports the developer base hit eight million by mid-2025. HarmonyOS NEXT, the first fully Android-incompatible build, shipped on the Mate 70 series in late 2024; Huawei committed all 2025 flagship devices to NEXT. The 2021 China-Russia joint communiqué committed both nations to coordinated development of HarmonyOS, openEuler, and Russia's Aurora OS as a counter to "the US monopoly." The threat-model bifurcation that started as a regulatory choice in 2021 is now a platform reality with eight-figure user counts.

The competition pipeline. Per the Atlantic Council's Capture the (Red) Flag, China runs fifty-four annually-recurring hacking competitions that route vulnerabilities into MSS, MPS, and PLA branches. The inaugural Matrix Cup in June 2024 offered ¥18M (roughly $2.5M) for zero-day exploits; it was co-organized by Integrity Tech, the firm Treasury sanctioned in January 2025 for its role in Flax Typhoon. Tianfu Cup returned in January 2026 under MPS organizational lead with an explicit AI-assisted vulnerability-discovery track and the contest website blocked to non-China IP addresses after the event. The closed-format consolidation continues.

Section 9The Chinese Funnel and the Western Middle's Future

Section 7 established that the Western exploit market is bifurcating — premium-few primes at the top, commodity-many products at the bottom, the middle thinning. Section 8 established that the regulatory environment in China is structurally different from the West. The Atlantic Council's June 2025 report Crash, exploit, and burn: Securing the offensive cyber supply chain to counter China in cyberspace by Winnona DeSombre Bernsen is the first comparative study of the two acquisition models — and it gives the bifurcation thesis a sharper edge. The Chinese system is not just different; it is the picture of what a healthy state-supported middle market looks like. The contrast tells you what the Western middle is failing to be, and predicts where it goes from here.

Two market structures, one comparison table

The DeSombre framing is sharp: "China's domestic cyber pipeline dwarfs that of the United States"; "China's acquisition processes use decentralized contracting methods... shortens contract cycles, and prolongs the life of an exploit through additional resourcing and 'n-day' usage"; "the United States risks ceding to China whatever strategic advantage it has left in cyberspace" without significant reform.

Why this predicts the Western middle's future

The Western middle market — boutique research firms below the L3Harris / NSO tier but above the Cellebrite "button" tier — is structurally weak in ways the Chinese middle is not. DeSombre's report names the mechanisms:

1. Middlemen extract value rather than create it. US middlemen with prior government connections drive up costs and erode buyer-seller trust. The middle is rent-extractive, not productive.
2. The talent pipeline has a "training valley of death" between junior and intermediate researchers. The US loses people exactly at the point where they would feed a healthy middle.
3. Procurement penalizes the middle. US acquisition favors large primes who carry compliance burden while subcontracting actual research. Small high-skill teams are deterred by the contracting bureaucracy.
4. Big Tech is an obstacle, not a feeder. Apple's MIE and Google's Rust-in-Android raise the floor for everyone — including for Western middle-tier research firms that lack the resource depth to keep pace.

The Chinese middle market thrives because the state actively props it up: state-mandated vulnerability flow into CNNVD, decentralized provincial procurement that lets small firms close 56+ separate contracts, civil-military fusion that integrates corporate research teams as offensive capacity, and a deliberate "A-team to D-team" cascade that gives middle-tier operators access to depleted-but-still-useful capabilities. Without those mechanisms, the Western middle is a market segment defending itself against gravity. The bifurcation thesis (Section 7) is the consequence.

The uncomfortable corollary

If the Atlantic Council framing is right, the bifurcation in Section 7 is not just a market dynamic. It is a national-security capability gap. The Chinese model treats the middle as a strategic resource to be cultivated; the Western model treats it as an unfortunate side-effect of capitalism. DeSombre is direct: "It is impossible for the United States to match China's supply of zero-day exploits by sheer numbers alone." The path forward she proposes is not to copy the authoritarian funnel, but to selectively borrow the structural mechanisms — state-sponsored brokers, talent pipelines, decentralized procurement, n-day usage — that make the Chinese middle viable.

The 2026 Dowd interview, recorded around the same time as DeSombre's research, makes the same prediction from a practitioner's vantage:

The pincer is: at the top, AI accelerates defender re-architecture so chains get longer and more expensive (Section 4-5). At the bottom, AI commoditizes discovery against weak vendors (Section 9-10). In the middle — where the Western market is structurally weakest and the Chinese system is most actively cultivated — the gap widens until either the West adopts state-feeder mechanisms or the middle ceases to exist as a meaningful market segment.

That is the most consequential prediction this paper is willing to make. It is also the most falsifiable: by 2028, either the Pall Mall Process has produced a functional FVEY middle-tier broker, or the Western middle has consolidated into the prime-and-commodity duopoly that the bifurcation thesis describes. There is no stable third path.

Section 10The Less-Sophisticated-Vendor Problem

The AI inflection's most concentrated harm may not land on hyperscale vendors at all. It lands on the long tail.

Great-power exemplar: the December 2024 Treasury sanction on Sichuan Silence Information Technology documents the less-sophisticated-vendor problem at industrial scale. PRC contractor Sichuan Silence and Guan Tianfeng exploited Sophos firewall CVE-2020-12271 in April 2020, compromising 81,000 firewalls including 36 protecting US critical infrastructure operators. The vendor was not Apple. The vulnerability was not in MIE-protected code paths. The economics ran the other direction: a single bug in a mid-tier security appliance compromised more strategic surface than ten iOS zero-clicks would have. The pattern repeats with Salt Typhoon's exploitation of provider-edge and customer-edge routers (Cisco, Palo Alto), and with Volt Typhoon's living-off-the-land tradecraft against energy, water, and transportation sector edge devices. Hardened-mobile mitigation gains have pushed adversary attention down the vendor stack, and the less-sophisticated-vendor segment is where great-power competition is producing the most strategic damage.

The asymmetry is a defender-side mirror of the buyer-side bifurcation. The top of the market gets a tailwind — more compute, more research budget, AI-assisted re-architecture. The long tail gets a headwind — AI-assisted discovery, no comparable patching pipeline, and an attacker class that has already shown it will target the path of least resistance.

Section 11Limits, Counter-Arguments, and Confessions of Uncertainty

No model of a market this opaque is right; the question is whether it is useful. This section names the load-bearing claims, what they get right, what they likely get wrong, and what cannot be priced at all from where this paper sits.

The great-power frame as load-bearing context

Every claim in this paper sits inside a US-China structural rivalry that is now reshaping the marketplace faster than the marketplace itself is moving. Forward-leaning claim C14 is the connective tissue:

What this paper gets right

1. The pricing-object disambiguation is a genuine clarification. It dissolves arguments that conflate bug, exploit, chain, and access into shouting matches about different things.
2. Maintenance cost is empirically real and structurally under-priced in public analysis.
3. The bifurcation thesis is the best-supported claim in this paper. It is consistent across Atlantic Council, Citizen Lab, GTIG, public market filings, and Dowd's first-hand framing.
4. The effect-based buying frame correctly captures why credential-driven, telecom-driven, and cloud-driven access vectors are not exotic substitutes — they are a first-class market layer.

What this paper might get wrong

1. The cost-curve thesis depends on AI's defender tailwind generalising beyond mobile and browser. The 2025 Mandiant data on edge devices suggests it does not. If the cost curve crosses for iOS but stays inverted for Ivanti and Palo Alto, the headline obscures the picture.
2. The bifurcation thesis depends on the mid-tier truly thinning. If Intellexa, Cytrox, and similar boutique-but-not-NSO vendors persist, the picture is trifurcated, not bifurcated.
3. The effect-based buying thesis is bounded at the top. Crowdfense's $30M expansion and Operation Zero's $20M chain bounty are direct evidence the premium tier still pays for capability, not effect. The thesis is correct for the broad market and false for the very top.
4. The persistence-is-optional claim required a reframe. Endpoint persistence is optional. Edge persistence is not. Operationally, persistence has migrated, not retired.
5. The democratization counterargument deserves more credit than the AI-asymmetric-toward-experts framing assumes. The Android privesc preprint shows AI-only making real progress. The expert advantage holds at iOS / Pixel / kernel; it softens elsewhere.
6. The great-power frame may overstate state agency. Markets have their own gravity; the bifurcation thesis would hold even without sanctions cycles. Attributing too much to political weather risks under-weighting the structural mitigation engineering and AI cost dynamics that would reshape the market regardless. The frame is load-bearing context, not the only force.
7. Rediscovery rates for elite chains are not measurable from public data. The Herr / Schneier / Morris 12.7% baseline is a public-disclosure proxy; nation-state-tier chains are absent from that dataset. The C15 claim that rediscovery is rising under AI is directionally robust but the magnitude for the very top of the market is genuinely unknown. RAND's 5.76% may still apply to NSO-tier chains even as the bottom of the market converges on the Herr rate.

What I genuinely cannot price

• Government-direct pricing past the published broker tier. The numbers leak occasionally; they are not a market.
• Stockpile depletion rates as MIE and MTE harden the heap. The math suggests fast; the operational evidence will lag by 18-24 months.
• Whether the Five-Eyes trust-network gating mechanism Dowd describes survives a generational handover at acquired companies.
• The post-2028 equilibrium when AI agents on both sides have moved past current capabilities. Anyone projecting that point is speculating.

The frame for the next two years

Dowd's "Wild West / manifest destiny" framing is the right rhetorical anchor:

The honest position for any vulnerability-economics framework right now is: the variables we have priced are real, the variables we are pricing today will look quaint in 24 months, and the smart move is to publish what we know with confidence labels and let the next edition discipline the previous one. That is the discipline this paper attempts to model.

Section 11.5Confirmed Sale Anchors (Added April 2026)

A research corpus of ~150 historical exploit / vulnerability / surveillance-product transactions (court records, leaked invoices, government disclosures, journalism) was compiled in April 2026 and used to stress-test the interactive model's algorithm. The full corpus lives at research/2026-04-25-confirmed-prices/RESEARCH.md; the algorithm validity report at VALIDITY-STRESS-TEST.md. The anchors below are the single most evidentiarily strong rows from that corpus — they are the empirical bedrock under every claim in this edition.

Tier 1 — Court-confirmed sales

• $900,000 — Azimuth Security → FBI for the iPhone 5C exploit chain that unlocked the San Bernardino device (paid March 2016, revealed via court unsealing 2021). Mark Dowd / David Wang / "Cy" as the operators. WaPo 2021-04-14 (Nakashima/Albergotti) · Vice/Motherboard
• $1,300,000 cumulative for 8 zero-day exploits (avg ~$162K/exploit) — Peter Williams (ex-L3Harris/Trenchant general manager) → Operation Zero (Russian broker), 2020–2025. DOJ-confirmed via guilty plea + 87-month sentencing October 2025. The single largest data point challenging the "Operation Zero pays $20M" headline. DOJ press release · TechCrunch (Operation Zero sanctions, Feb 2026)
• $8,000,000 — NSO Pegasus end-user contract to Ghana NCA (2015), via IDL reseller. Three Ghanaian officials convicted Accra High Court 2020. Times of Israel
• $4,000,000 punitive (after Hamilton remittitur Oct 17 2025; was $167.254M jury verdict May 2025) + $444,719 compensatory — WhatsApp v. NSO Group, 4:19-cv-07123 (N.D. Cal., Judge Phyllis Hamilton). Permanent injunction granted same date. CourtListener
• $7,000,000 "standard price" for 15 concurrent targets (plus a ~$1–2M cross-border "covert vector" add-on) — NSO's own commercial pricing, testified verbatim by Sarit Bizinsky Gil (NSO VP of Global Business Operations, the defendant's designated financial witness) in her deposition for WhatsApp v. NSO. Sealed in the September 2024 court filing; surfaced via Meta's May 2025 release of the deposition transcripts. The clearest first-hand figure for NSO list pricing since the 2016 rate card — and distinct from it (the 2016 "$650K per 10 targets" card traces to NYT reporting, not this docket). Gil deposition transcript (Meta)
• $50,000 — Charlie Miller's self-disclosed Linux kernel exploit sale to a US government agency (2007). Originally offered $80K contingent on a specific Linux flavor; renegotiated to $50K with no flavor restriction. The first published seller-confirmed offensive sale in academic literature. Miller WEIS 2007 (PDF)

Tier 2 — Leaked invoices and primary documents

• $25,100,000 annual — NSA TAO "covert purchases of software vulnerabilities" budget line, FY2013, from Snowden Black Budget. WaPo Black Budget (Gellman/Miller)
• €40,059,308 (~$44.4M) — HackingTeam total client revenues 2003–2015, from leaked finance spreadsheet. Per-customer breakdown: Mexico $6.3M aggregate (largest), Chile $2.85M (single largest contract), Morocco €3.17M, Sudan NISS €960K, Ethiopia INSA $1M, plus US DEA single $575K invoice including "Exploit Portal Full Access (Zero-Day level)" — atop a separate $2.4M DEA contract for the Remote Control System (Galileo) via reseller Cicom USA, of which ~$927K was paid before DEA cancelled in 2015. WikiLeaks Hacking Team archive · DEA–Cicom contract (FOIA) · Vice DEA invoice
• NSO Pegasus 2016 leaked rate card: $500K install + $650K per 10 iOS/Android targets + $500K per 10 BlackBerry + $300K per 10 Symbian. The foundational rate card for almost every subsequent Pegasus pricing estimate. Engadget on NYT (Perlroth/Mazzetti) 2016
• €1,400,000 — FinSpy full toolset price list (2014 Gamma/FinFisher PhineasFisher 40GB dump). Per-activation pricing: €1,950 (2011) → €2,340 (2013) per Win/macOS infection. Vice/Motherboard FinFisher
• €8,000,000 — Predator iOS RCE 0day capability tender (Spain, ~2022) per leaked Intellexa proposal in the 2023 Predator Files. The same leaked proposals decompose the capability per-unit: a €900K "magazine" of 100 successful infections (~€9,000 per infection), a €3M persistency add-on, and a €1.2M "Nova" add-on for five additional target countries — rare line-item evidence that access is priced per-outcome, with persistence and geographic reach billed as discrete options. ICIJ Cyprus Confidential · Amnesty Security Lab (Predator Files)
• $10K–$75K per email inbox — i-Soon contract ledger (Feb 2024 leak). $55K specifically for Vietnam Ministry of Economy compromise. SentinelOne characterized these as "cut-rate prices" — data contradicts the popular narrative that MSS pays elite money for elite work. SentinelOne i-Soon analysis

Tier 3 — Government disclosures

• $61,000,000 — Mexico aggregate Pegasus spend across 31 contracts 2011–2018 (Calderón + Peña Nieto admins), per Mexican Public Safety Secretary Rosa Icela Rodríguez 2022 statement. NYT 2017 had reported ~$80M earlier; Mexican government's own disclosure is the lower-bound figure. PBS NewsHour / AP
• $32,000,000 — Mexico PGR initial NSO contract (2014). First publicly-confirmed eight-figure Pegasus contract.
• $30M–$35M — Cellebrite UFED multi-year contract to ICE (signed June 24, 2019). Federal procurement records (USAspending.gov) show this is a multi-year aggregate, not an annual rate: ICE-HSI's annual Cellebrite awards run $4.95M (2021) → $5.12M (2022) → $6.17M (2023) → $9.60M (2024) → $11.11M (2025) — the commodity-tier "button" buyer, billed exactly. USAspending (2025 ICE award)

Tier 4 — Reputable journalism (multi-source)

• $55,000,000 install fee — Saudi Arabia Pegasus 3 (2017) per Haaretz / Times of Israel reporting (Avi Bar-Eli / Hagar Shezaf series). Single-outlet originally; corroborated by Bergman/NYT.
• $2,000,000,000 total package — India–Israel classified weapons + intelligence package (2017), Pegasus is one component. NYT Magazine (Bergman/Mazzetti, Jan 28 2022)
• $313,000,000 — L3 (later L3Harris) acquisition of Azimuth Security + Linchpin Labs → Trenchant (closed Aug 31, 2018; base ~$200M + earnout up to ~$32M). Sets a corporate-valuation reference for elite Five-Eyes-only offensive capability.
• €1 (one euro) — InTheCyber Group / Memento Labs acquisition of HackingTeam (April 2019, post-bankruptcy distressed). The canonical distressed-vendor pricing case. MIT Technology Review
• $200,000 — Tianfu Cup 2018 prize for the iPhone Safari→kernel "Chaos" chain (Qixun Zhao / Qihoo 360), subsequently weaponized by Chinese intelligence against Uyghurs. Best-documented contest-to-state pipeline globally. MIT Tech Review

Critical caveats

• Operation Zero $20M is an OFFER, not a sale. Sustained marketing announcement 2023–2025 on Telegram/X. Zelenyuk himself walked it back to $2.5M in August 2025. The only court-confirmed Operation Zero transaction is the Williams DOJ case at $1.3M / 8 exploits. Treat the headline as a bounding curve, not a clearing price.
• Crowdfense $30M program is the program ceiling, not paid-out. Per-tier numbers ($5–7M iOS, $9M zero-click MMS) are advertised maximums.
• The broker's cut is ~15–17%, disclosed first-hand. Maor Shwartz (founder of the brokerage Q-recon) put his fee schedule on stage at Black Hat 2019 — 17% from companies, 15% from governments, paid with no advance (a percentage on a ~14-day validation, the rest split over 3–6 months). "The grugq," the independent middleman behind the 2012 Forbes price chart, reported the same ~15% commission. That intermediary wedge, stacked on the offer-vs-sale discount, is why a published broker sheet always overstates what a seller actually nets. Shwartz, Black Hat 2019 (slides)
• Operation Zero's standing per-app sheet is more modest than the $20M headline. The archived price page lists Signal RCE at $2M (the highest published Signal figure anywhere), iOS/Android full chains at $2.5M each, and Telegram RCE at just $500K. The widely-cited "$4M Telegram" was a separate March-2025 bounty campaign, not the standing sheet — don't merge them. opzero.ru price sheet (Wayback, 2026-02-25)
• Iran (APT35) and North Korea (Lazarus) have NO documented zero-day purchase prices in open source. Both states overwhelmingly weaponize n-days or develop in-house. Treat any quoted Iran/DPRK exploit-purchase price with extreme skepticism.
• "$10M Stuxnet" is not in primary sources. Most rigorous estimates: ~$20M malware development, $300M–$1B operation including human intelligence (Volkskrant 2024 / Kaspersky's Costin Raiu).

Full corpus: RESEARCH.md. Algorithm-validity scoreboard: VALIDITY-STRESS-TEST.md. Machine-readable subset: data/confirmed-prices-2026-04.json.

Section 12Sources

All sources cited inline above are reproduced here for ease of reference. Where multiple URLs share an institution, both are listed.

Primary vendor sources

• Apple Security Research — Memory Integrity Enforcement (Sept 2025)
• Apple Security Bounty — 2025 program update
• Google Security Blog — Rust in Android (Nov 2025)
• Project Zero — From Naptime to Big Sleep
• Google Cloud — Big Sleep makes a big leap
• Project Zero — Policy and Disclosure 2025
• Project Zero — 0days In The Wild tracker

Threat intelligence and incident response

• Mandiant M-Trends 2025 (blog) | PDF
• GTIG — Hello 0-Days, My Old Friend (2024 zero-day trends)
• GTIG — 2025 Zero-Days in Review
• Verizon 2025 DBIR (PDF)
• Symantec / Broadcom — ransomware extortion epidemic
• Citizen Lab — Pegasus returns 2022 (PWNYOURHOME)
• Citizen Lab — Bad Connection (telecom surveillance)
• Citizen Lab — Paragon proliferation
• SentinelOne — Unmasking i-Soon (Feb 2024)
• Unit 42 — i-Soon data leaks analysis
• Cisco — DeepSeek security risk evaluation
• CSIS — DeepSeek, Huawei, Export Controls and the Future of the US-China AI Race

Government and regulatory

• CISA — Known Exploited Vulnerabilities Catalog
• CISA BOD 22-01
• CISA AA24-038A — Volt Typhoon (Feb 2024)
• CISA AA25-239A — Salt Typhoon (Aug 2025)
• ODNI — 2025 Annual Threat Assessment
• FBI Director Wray — House Select Committee on the CCP testimony (Jan 2024)
• US Treasury — Sichuan Silence sanctions (Dec 2024)
• US Treasury — Integrity Tech sanctions (Jan 2025)
• US Treasury — Sichuan Juxinhe / Salt Typhoon sanctions (Jan 2025)
• DOJ — i-Soon indictment (March 2025)
• DARPA — AIxCC results (Aug 2025)
• NIST CAISI — DeepSeek evaluation (Sept 2025)
• NIST — NVD Program Transition Announcement (Feb 13, 2024)
• CISA — Vulnrichment ADP container (launched May 2024)
• CISA — statement on CVE Program funding (April 2025)
• CISA — xz-utils backdoor advisory (CVE-2024-3094, March 2024)

Academic and research

• RAND — Zero Days, Thousands of Nights (2017)
• Belfer Center — Taking Stock: Estimating Vulnerability Rediscovery (Herr, Schneier, Morris, 2017)
• TikTag (IEEE S&P 2025)
• GitHub Security Lab — Bypassing MTE (May 2025)
• NDSS 2026 — FirmAgent
• arXiv — Breaking Android with AI
• Trail of Bits — Buttercup AIxCC 2nd place

Market and policy analysis

• Atlantic Council — Mythical Beasts
• Atlantic Council — Sleight of Hand
• Atlantic Council — Crash, exploit, and burn (DeSombre Bernsen, June 2025)
• Atlantic Council — Capture the (Red) Flag (Cary & Benincasa, Nov 2024)
• Pall Mall Process — Code of Practice for States (April 2025)
• Pall Mall Process — Declaration (Feb 2024)
• ETH Zürich — From Vegas to Chengdu (Benincasa, June 2024)
• Margin Research — Watching the Watchers (HULK Robot)
• Margin Research — Chinese Private Sector Cyber Landscape
• CSET — Academics, AI, and APTs (Cary, March 2021)
• Recorded Future — CNNVD MSS Influence
• SentinelOne LABScon — Chinese Vulnerability Discovery and Disclosure
• Recorded Future — China's Zero-Day Pipeline
• Light Reading — HarmonyOS adoption
• Caixin — HarmonyOS developer base

FOSS supply-chain

• Russ Cox — xz-utils backdoor forensic timeline
• Sonatype — State of the Software Supply Chain 2024
• SanSec — Polyfill.io supply chain attack analysis
• Linux Foundation — Census III of Free and Open Source Software

Marketplace and trade press

• Crowdfense — Exploit Acquisition Program
• SecurityWeek — Crowdfense $30M program
• SecurityWeek — CISA KEV +20% in 2025
• TechCrunch — Zero-day prices rising (2024)
• TechCrunch — Operation Zero $20M (2025)
• Vice / Motherboard — Zerodium price reduction
• Dark Reading — KEV remediation effectiveness

Mark Dowd primary sources

• OffensiveCon 2022 keynote
• BlueHat 2023 presentation (PDF)
• Risky Business HF13 interview
• 2026 podcast interview on the zero-day exploit marketplace

All citations independently verified at time of publication. Where a counter could not be found in authoritative sources (Claim C4), the absence is stated explicitly rather than fabricated.