Vulnerability Sales Market

Some vulnerabilities that fall into the 0-day category (zero-day vulnerabilities) cost tens and hundreds of thousands, as well as millions of dollars. The top most expensive software security flaws that have ever been discovered. Information security experts explained what is special about them, which is why not only hackers, but also intelligence agencies from different countries hunt for 0-day.

A 0-day vulnerability (or Zero Day) is the name given to those problems in software that hackers already know about, but the developers of this software do not yet know about.

The number zero in the name represents the number of days developers have to fix the vulnerability before it can be exploited.

There are two markets for such vulnerabilities - the darknet and bug bounty platforms - these are online platforms where large companies place orders to search their software products and infrastructure for critical vulnerabilities. On the darknet, such goods are transferred from one criminal to another. "Mainly" because sometimes special services buy them for espionage. On bug bounty platforms, "white hat hackers" (honest pentesters "from the people") are paid a reward by companies that do not want the software flaw to be used against them. In both cases, 0-days cost a lot of money.

As an example of the largest payouts for 0-day, he cited a case from 2022, when the creators of the Wormhole cryptocurrency paid $10 million to a researcher nicknamed satya0x for discovering a critical vulnerability in the code of the crypto asset itself.

Exploitation of this vulnerability could potentially result in users' funds being blocked.

In second place is a similar vulnerability in another blockchain system, on which the Aurora cryptocurrency was created. For its discovery, the "white" hacker pwning.eth was paid $6 million.

The top three was closed by Google's $605,000 payment to researcher gzobqq. In 2023, he discovered a group of five vulnerabilities in the Android operating system. Neither before nor after has Google paid cybersecurity researchers for such findings. The company did not disclose details about these problems, but it is known that due to a memory error, they allowed attackers to escalate their privileges in Android and gain almost unlimited control over the system.

If hackers had gotten to the mentioned zero-day vulnerabilities before gzobqq, many Android users could have suffered.

In fourth place is the HamsterWheel vulnerability, which information security specialists from CertiK found in the Sui cryptocurrency blockchain. For its discovery, the Coinbase crypto exchange paid $500 thousand. This happened in August 2024. This payment was the largest in the history of HackerOne (the most famous bug bounty platform). HamsterWheel got its name because it allowed looped processes to be caused in the Sui blockchain, which made the cryptocurrency completely illiquid. Moreover, this vulnerability would most likely allow attackers to steal money directly from this crypto project.

The record price for a 0-day vulnerability is $15 million. That's how much the hacker Intel Broker asked for on a darknet forum in 2024 for a vulnerability in the most popular project management service in the IT industry, Jira.

Fees in the millions or hundreds of thousands of dollars for selling or discovering a 0-day are a reality that has already come to us now.

The cost of a vulnerability is influenced by several factors: the size of the audience of the 0-day product, the scope of the product, and most importantly, the options that the vulnerability opens up to the attacker. In the latter case, the ability to replace the payment recipient is valued. This type of option opens up virtually unlimited prospects for attackers in terms of theft and enrichment.

An expert from our company's development and testing department called 0-day vulnerabilities the most dangerous and destructive, since they are often used, take a long time to fix, and are poorly detected by security tools. These are the criteria that make 0-days incredibly expensive and very desirable.

This is the most dangerous type of vulnerability, since developers and users may simply not know about their existence, which hackers can exploit for a long time.

From theory to practice

Although large companies diligently hunt down 0-days and, as the fees of “white hat” hackers show, spend substantial sums on this activity, vulnerabilities, of course, still become weapons in the hands of hackers from time to time.

The most prominent example of a 0-day vulnerability that was put to use in practice is EternalBlue. It was stolen (and later published) in March 2017 by the Shadow Brokers hacker group from another group, the Equation Group, whose activities are attributed to the US National Security Agency. This vulnerability was later used to distribute the WannaCry malware (one of the first ransomware viruses that blocked computers and demanded a ransom to unlock them), as a result of which information systems in more than 200 countries were affected.

An example of a vulnerability is Log4Shell in the Apache Log4j library, which is used for logging in most programs in the Java programming language. In simple terms, Apache Log4j is a registry of processes in programs that is used by developers to, for example, identify errors.

Because Apache Log4j is used everywhere, millions of devices around the world were at risk. The vulnerability allowed hackers to remotely execute arbitrary code and was available for almost a decade.

Like EternalBlue, Log4Shell was used not only by hackers, but also by intelligence agencies in various countries.

We are ready to pay for each collision found in any of the hashing algorithms.