2026 Synthesis Edition — Twelve Core Ideas in Vulnerability Economics
A vulnerability has no intrinsic price. Its value is the expected payoff of converting a defect into durable access for a specific buyer, minus the costs of discovery, chaining, maintenance, exposure, time decay, and rediscovery. Twelve ideas explain everything else this paper says.
Casey Ellis — April 25, 2026. This edition synthesizes the framework into core ideas, weighting evidence equally across primary sources rather than privileging any single voice. Earlier editions: 2022 · 2022-revised · 2022-v2 · 2026 evidence edition.
Eleven core ideas, each one falsifiable, none load-bearing on a single source.
The pricing object — the thing the buyer pays for — is rarely the bug.
| Object | Definition | Buyer |
|---|---|---|
| Defect | Latent flaw in code or hardware | Bug bounty programs (Apple Security Bounty raised full-chain payouts to $2M in 2025) |
| Exploit primitive | Validated way to convert a defect to capability | Brokers and chain assemblers |
| Chain | End-to-end composed capability | Government direct buyers; Crowdfense's $30M acquisition program publicly listed $7M iOS, $5M Android, $9M zero-click SMS/MMS in 2024 |
| Access | The target's data, communications, or session | End customers (intelligence services, surveillance vendors); DOJ's March 2025 i-Soon indictment documented PRC pricing of $10K-$75K per compromised email account |
Disambiguating the four objects dissolves several long-running disputes. Bounty payouts and broker prices are not the price of an iOS bug; they price different objects with different liquidity, exclusivity, and obligations. A government contract is not paying for a chain; it is paying for maintained access through the chain's degradation curve. A ransomware affiliate is not buying a defect; the buyer is buying access and is indifferent between credentials, an n-day, or a 0-day if the operational outcome converges.
A second conflation cuts across all four objects: advertised offers versus realised sales. Ex-brokers Maor Shwartz (Black Hat 2019, Q-recon: 17% from companies, 15% from governments) and "the grugq" independently disclose a ~15–17% intermediary commission, and the Williams DOJ case shows an advertised $20M Operation Zero ceiling clearing at ~$162K per exploit. A published broker sheet is a bounding curve, not a transaction record.
Six forces shape what a buyer will pay for any of the four pricing objects. They interact, dominate one another at different points in the lifecycle, and respond to substitution pressure.
The hidden total-cost-of-ownership variable. Discovery and development are one-time costs; maintenance compounds with every patch cycle. On hardened tier-one targets, maintenance dominates the first two combined within 12-18 months of a chain reaching production. Most external valuations count only the first two.
Vulnerabilities are wasting options. Their value declines as exposure, patching, and detection close in. RAND's Zero Days, Thousands of Nights (2017) reported a median latent life of 6.9 years on a small private dataset of held zero-days; the figure is widely cited and almost certainly overstates residual lifetime under 2026 conditions.
A burned exploit is worse than worthless. It exposes attribution chains, leaks technique, retires similar capabilities by signature, and creates diplomatic friction. Vendor claims that a specific mitigation prevented attacks must be read with care: operators select capability against observed defenses; if a target runs Lockdown Mode, the operator deploys something else, not the same payload.
The 0-day is rarely the only path to the operational effect. Substitutes include n-days, stolen credentials, supply chain compromise, insider recruitment, telecom interception, cloud-account takeover, and social engineering at scale. Mandiant's M-Trends 2025 places stolen credentials as the second initial-access vector at 16 percent, behind only exploits at 33 percent. Verizon's 2025 DBIR reports credential abuse in 22 percent of 12,195 incidents.
The gap between holding a defect and producing the operational outcome — chain assembly, OPSEC, deployment infrastructure, target reconnaissance, operator tradecraft. Two buyers holding the same defect may extract orders-of-magnitude different value because their conversion machinery differs. State-direct prices look high in the abstract and reasonable in the context of pipelines that cost tens of millions to maintain.
The rate at which any privately-held capability faces the risk of becoming worthless because someone else independently found it. The empirical baseline (Section 6) is 10-22 percent annualized for public datasets; AI-assisted research is pushing the rate up. Rediscovery is the constraint that bounds every other force — an exploit you can't keep private cannot be priced for maintained access.
The same technical artifact attracts seven different prices. The model depends on what the buyer values, what substitutes they have, and what obligations they accept.
| Model | Object purchased | Pricing logic |
|---|---|---|
| A. Boutique offensive | Full chain plus maintenance contract | Cost-plus; high obligations and exclusivity |
| B. State-directed volume | Many chains and access points; tolerant of brittle bugs against unpatched targets | Aggregate access value; decentralized procurement (PRC model) |
| C. Initial-access broker | Validated access | Per-foothold; n-days and credentials beat 0-days when both work |
| D. Ransomware industrial | Access plus encryption tooling and leverage | Expected ROI net of dwell-time risk and substitute access vectors |
| E. Chaotic / anti-economic | Whatever is available; ideological or expressive | Outside rational pricing |
| F. Commercial surveillance | One full chain amortised across many sovereign customers | Recurring SaaS-style on top of chain investment (NSO, Paragon, Intellexa pattern) |
| G. Defensive intelligence | The defect plus the option to disclose | Cost of class kill, not cost of exploit (ZDI, broker-funded VRPs) |
Two structural notes. First, the top-tier offensive market is gated by trust networks rather than procurement; pricing is opaque and illiquid because customer vetting runs on word-of-mouth. Second, the market boundary is wider than exploit pricing: effect-based buyers (Section 7) route demand into cloud abuse, telecom interception, and sister-company services that produce the same operational outcome.
AI is the largest live variable. It changes the time axis on both sides simultaneously, but asymmetrically.
The China-side picture cuts against the symmetric reading. Western AI vendors impose hard guardrails on offensive output; DeepSeek's V3 and R1 ship without comparable restrictions. NIST CAISI's September 2025 evaluation found DeepSeek agents roughly 12x more likely than US frontier models to be hijacked into malicious instruction-following. Cisco's red-team evaluation found DeepSeek failed to block any harmful prompt where GPT-4o blocked 86 percent. Huawei's HULK Robot has been credited with roughly 25 percent of bugs fixed in Linux 5.4 and 15 percent in 5.10 (per Margin Research), with the structural concern that Huawei tests fixes on its openEuler distribution before upstreaming. Whether the defender tailwind wins on net depends on which side's tailwind is structurally larger — and that is now an open question.
Class-killing mitigations work where they ship into managed stacks. They do not generalise to enterprise edge or FOSS.
The cost curve thesis is not a 2026 narrative. The empirical baseline was documented at OffensiveCon 2019 in Mark Dowd's keynote What's in a Jailbreak? Hacking the iPhone 2014-2019. A 2015-era iOS 9 jailbreak required roughly five components: a Safari exploit, a sandbox escape, a kernel exploit, an optional KPP bypass, and persistence. By iOS 12 in 2019 the same operational outcome required all of the above plus a bulletproof JIT bypass, a user-mode PAC bypass, a kernel-mode PAC bypass, a PPL bypass, and an APFS remounting bug — roughly ten components. NSO's 2016 Pegasus chain relied on JIT writes, vtable overwrites, ROP backdoors, multi-kernel patches, file-system remounting, and user-mode backdoors; by 2019 every one of those primitives had been mitigated by some combination of GigaCage, fast permission switching, KTRR, PAC, APFS integrity, and PPL. Dowd's 2019 forward prediction — that further mitigations would push offensive operations toward "data-only attacks" and "weird machines" while Apple shipped data-structure integrity verification in response — is precisely the trajectory that produced MIE on the A19 six years later. The chain-complexity curve has been measured, not asserted, across more than a decade.
The cost curve crosses unevenly. It crosses cleanly on hardened-mobile and browser surfaces where the West has spent the engineering capital. It has not crossed for enterprise edge devices, telecom infrastructure, or critical-infrastructure OT. The 2024-2025 PRC-attributed Salt Typhoon and Volt Typhoon campaigns exploited exactly the segments where Western vendors have not invested at the rate of Apple and Google. The cost curve is geographically and sectorally uneven.
Rediscovery is the rate at which a privately-held capability becomes worthless not because it was burned or patched but because someone else independently found it.
Two foundational empirical estimates anchor the discussion, and they disagree:
The two papers measured different populations — held private bugs vs publicly-disclosed ones — but the gap is wide enough to matter for every economic claim downstream of it. Earlier estimates (Ozment 2005 at 9 percent for immature software; Finifter, Akhawe, Wagner 2013 at 4.6 percent for Chrome) sit between the two.
Every economic claim about privately-held capability bends through rediscovery. Maintenance cost is rational only if the asset survives long enough to amortise the burden. Cascade strategies (Section 8) are bets that rediscovery is low enough to amortise the same bug across operators. The bifurcation thesis is partly a rediscovery story: premium chains have low rediscovery (novel logic, multiple obscure components); commodity bugs sit at or above the Herr rate. The middle thins because maintenance economics work only at the rediscovery extremes.
The policy consequence is the Vulnerabilities Equities Process. If rediscovery is closer to 1 percent, retention dominates; if closer to 22 percent, disclosure dominates. The Western VEP was built when 5.76 percent was a defensible upper bound. The empirical case for retention has been weakening since 2017, and AI is weakening it further.
Buyers pay for outcomes, not for capability artifacts. The most under-priced shift in the 2026 marketplace.
The 2024-2025 Salt Typhoon campaign is the operational case at strategic scale. The August 2025 CISA / NSA / FBI joint advisory, co-signed by twelve nations, attributed compromise of nine US carriers including the systems used to service CALEA wiretap requests. The operational outcome — access to a target's location, communications, metadata — was achieved without endpoint exploit chains. Substitution at the top of the market does not necessarily route through the broker tier.
Three substitution axes operate simultaneously: 0-day vs n-day (time), exploit vs credentials (vector), endpoint vs cloud-or-telco (architecture). When MIE pushes endpoint chain prices into eight figures, cloud-account takeover at $5K from an access broker becomes the rational substitute for many operational objectives. The exploit is a means; capability is benchmarked against the cheapest substitutable means of producing the same effect.
Persistence has been quietly demoted as a consequence. Symantec / Broadcom documents 62 percent of CrowdStrike's 2025 detections as malware-free; in-memory tradecraft dominates at the endpoint. But persistence has migrated rather than disappeared: M-Trends 2025 reports 44 percent of 2024 zero-days hit enterprise edge devices — VPNs, firewalls, security appliances — precisely because those targets survive endpoint EDR.
The exploit market is splitting along a clear seam. Premium-few full chains for sovereign customers; commodity-many "button" tools for municipal-tier buyers; the middle thinning.
The mechanism is mechanical: as mitigations stack and chains get longer, brittler, and more expensive, the producer faces a choice. Serve a few customers paying top dollar for full chains, or commoditise and serve many customers cheaply. The middle — where chains are not trivial but not strategic crown jewels — thins because the maintenance economics do not support boutique custom work for a small number of mid-budget customers.
The supply side concentrates geographically. Mythical Beasts identifies six structural patterns:
The 0-day price paradox resolves through the same mechanism. Discovery cost is collapsing — AI helps. Weaponisation cost is exploding — modern chains require five or more components where three sufficed five years ago, each independently maintained. Zerodium reduced 1-click iOS payouts from $1.5M to $1M citing oversupply at that tier; Crowdfense and Operation Zero raised premium-tier ceilings 2-3x over the 2019 baseline. The market is bifurcated, not uniformly inflating.
The defender tailwind reaches managed stacks. It does not reach the federated FOSS supply chain at all.
The Section 5 cost-curve thesis assumes a vendor architecture where a merged pull request becomes a shipped patch within a release cycle the vendor controls. Most exploitable code does not live in that architecture. Open-source dependencies travel through maintainer review (often one unpaid individual), upstream release, distro repackaging, container-image rebuild, transitive-dependency resolution, and downstream consumer adoption — a chain measured in months to years.
Three live cases anchor the asymmetry:
The structural point: FOSS supply chain is the inverse of the managed-vendor ecosystem the cost-curve thesis describes. Authority is decentralised, maintainer capacity is the binding constraint, downstream propagation is unowned, trust is built socially. The Linux Foundation's Census III documents that a small number of critical packages have one or zero active maintainers. AI raises the floor for attackers in this ecosystem — cheap PRs, cheap social engineering, cheap fuzzing of obscure dependencies — without raising it commensurately for defenders, because there is no vendor budget to spend the AI tailwind on.
The mobile and disclosure-regime threat model is fragmenting along geopolitical lines. The 2010s assumption that iOS-and-Android encompasses the strategic surface no longer holds in Asia.
Two regulatory regimes have diverged. China's CNNVD, operated by the MSS 13th Bureau, beats NVD to publication 43 percent of the time on average but only 3 percent of the time when a vulnerability is being actively exploited by Chinese APT groups; 267 publication dates have been retroactively altered to obscure the MSS evaluation window. The US-side equivalent infrastructure is meanwhile partially decommissioned: NIST acknowledged a backlog and reduced enrichment of CVEs in February 2024; CISA stood up the Vulnrichment ADP container in May 2024 to fill the gap; the MITRE CVE program required emergency funding extension in April 2025. The asymmetry is the load-bearing point: China's adversarial mirror operates at full capacity while the US central infrastructure has been federated under emergency conditions.
The competition pipeline mirrors the regulatory divergence. China runs an estimated 54 annually-recurring hacking competitions (Atlantic Council, 2024) that route vulnerabilities into MSS, MPS, and PLA branches. Matrix Cup 2024 offered ¥18M (roughly $2.5M) for zero-day exploits; Tianfu Cup returned January 2026 under MPS lead with an AI-assisted vulnerability-discovery track and the contest website blocked to non-China IP addresses after the event.
Sanctions, indictments, mandatory-disclosure regimes, AI export controls, and adversarial vendor-security investments now drive the same variables the model is trying to price.
The Atlantic Council's Crash, exploit, and burn (DeSombre Bernsen, June 2025) is the comparative study. Western (US, FVEY) supply is "international, opaque, loosely affiliated networks" with feast-or-famine procurement cycles, prime-contractor concentration (L3Harris, ManTech), and middlemen extracting value rather than creating it. PRC supply is a comprehensive feeder system from CTFs through universities into the MSS, MPS, and PLA, with state-mandated vulnerability flow into CNNVD, decentralised provincial procurement, civil-military fusion since 2017, and an "A-team to D-team cascade" that extends every chain's shelf-life through tiers of operators. The Western middle market is structurally weak in ways the Chinese middle is not.
The political pressure is bidirectional. The 2024 trajectory was toward more state intervention: the Pall Mall Process Code of Practice (April 2025) committed 23 states to oversight of commercial cyber intrusion capabilities; China has not engaged. The late-2025 trajectory was toward less: Treasury lifted sanctions on three Intellexa-affiliated executives; the DHS Cyber Safety Review Board was disbanded in January 2025, terminating its Salt Typhoon investigation; ICE acquired Paragon-related contracts post-inauguration. The marketplace is being actively re-engineered on both sides.
The capital story complicates the policy story. Mythical Beasts documents 14 distinct US-based entities investing in spyware vendors or suppliers, 12 of which target Israeli firms. Paragon Solutions, established in Israel in 2019, is backed by Battery Ventures and Blumberg Capital out of Boston; the firm sells to municipal-tier customers (per Citizen Lab) and was acquired by ICE-adjacent contracting in late 2025. The same US that sanctions Chinese contractors and signs the Pall Mall Process is also the largest non-Israeli source of capital fuelling the very vendors those sanctions ostensibly target. Capital, talent, and policy are running on three different clocks.
No model of a market this opaque is right. The question is whether it is useful.
All sources cited inline above are listed here. Treated as peers; no single source is privileged.