This Forbes article on the Zero-Day bug market is quite interesting. It highlights that there are people (mostly consisting of government intelligence organizations) willing to pay hundreds of thousands of dollars for specific exploits. Exploits in Adobe reader sell for between 5k and 30k, while IOS exploits sell for between 100k and 250k. The buyers? Western spy agencies. What about the companies themselves?
Google typically offers a maximum of $3,133.70 for information about the most complex flaws in its software, a number that’s meant to spell out “elite” in hacker slang.
Perhaps there are good reasons for companies to refuse to participate in a market that revolves around exploiting their mistakes. And maybe the brokers who deal in these exploits aren't actually allowed to sell the exploits to them, for fear of being accused of blackmail. Or maybe companies don't want to have to pay market rates for a problem they have identified and are resolving.
Still, there are ways around all of these problems. In the end this seems to be a subject that most companies are too prideful to treat properly. Something that used to be offered for free or quite cheap is getting expensive and companies are caught flatfooted. But some companies are finally starting to accept reality, according to a recent New York Times study of zero day exploits Microsoft recently raised its top bounty to $150,00. Facebook, when it is willing to make payouts, has made payments as high as $20,000.
Suppliers who used to provide these services for free are starting to realize they should be paid at the same time more buyers are entering the marketplace. Combine this with high profile bounty rejections and more hackers will figure out that there are usually other ways to monetize their findings. Given the supply and demand dynamics in this market it is unlikely that prices are going anywhere but up.