What is a bug worth?
A multi-edition exploration of how the market for software vulnerabilities actually clears — what counts as a bug, who buys it, and how its price is set. The 2026 model is stress-tested against a corpus of ~150 confirmed historical exploit and surveillance-product transactions drawn from court records, leaked invoices, government disclosures, and journalism.
The full argument, rebuilt for reading. Opens with the four pricing objects, surfaces the eight emergent themes, and treats every forward-leaning claim as a falsifiable proposition with a supporting and a detracting data point.
Pick a pricing object × target × buyer, tune the five forces, toggle AI / geopolitics / provenance, and read the bracketed range. Includes Validation Mode scored against the confirmed-price corpus.
The argument condensed into an idea-card format.
The original decision-tree framework: what counts as a bug, who buys it, how the market clears.
First refinement of the 2022 framework.
Second refinement of the 2022 framework.
The model's algorithm is stress-tested against a machine-readable corpus of confirmed prices, each row carrying a live source link and a third-party archive snapshot.