Vulnerability Economics

What is a bug worth?

A multi-edition exploration of how the market for software vulnerabilities actually clears — what counts as a bug, who buys it, and how its price is set. The 2026 interactive model is stress-tested against a corpus of ~150 confirmed historical exploit and surveillance-product transactions drawn from court records, leaked invoices, government disclosures, and journalism.

The interactive model

• 2026 — Interactive Model ★ start here
  Pick a pricing object × target × buyer, tune the five forces, toggle AI / geopolitics / provenance / Russian-basis, and read the bracketed price range. Includes a Validation Mode panel scored against the confirmed-price corpus.
  2026-interactive-model.html

Editions

• 2026 — Evidence Edition
  Claim/evidence structure with falsifiable propositions. Integrates Mark Dowd (OffensiveCon 2022, BlueHat IL 2023, Risky Business HF13) as one continuous body.
  2026-evidence-edition.html
• 2026 — Synthesis Edition
  The argument condensed into an idea-card format.
  2026-synthesis-edition.html
• 2022 — Original Framework
  The original decision-tree framework: what counts as a bug, who buys it, how the market clears.
  2022.html
• 2022 — Revised
  First refinement of the 2022 framework.
  2022-revised.html
• 2022 — Revised v2
  Second refinement of the 2022 framework.
  2022-revised-v2.html

The validity layer

The model's algorithm is stress-tested against a machine-readable corpus of confirmed prices, each row carrying a live source link and a third-party archive snapshot.

• Research corpus synthesis
  ~150 priced data points organized by evidence tier.
• Validity stress-test
  The 15-row stress-test, the algorithm gaps (G1–G6, all now addressed), and the bracket scoreboard.
• confirmed-prices-2026-04.json
  The machine-readable corpus (46 rows) read at runtime by the model's Validation Mode.