A zero-day market is the trade in software vulnerabilities that vendors do not yet know about, along with the exploits that weaponize them. Because no patch exists, a zero-day grants its holder a window of reliable, often stealthy access to targeted systems, which is what gives the underlying knowledge its price.
Analysts typically distinguish three tiers:
- White market: bug bounty programs run by vendors (Google, Microsoft, Apple) and platforms like HackerOne and Bugcrowd, where researchers disclose flaws in exchange for relatively modest payouts.
- Gray market: brokers such as Zerodium and Crowdfense who purchase exploits from researchers and resell them, usually exclusively, to government customers. Zerodium's published price list has at times offered up to US$2.5 million for a full-chain Android zero-click and US$2 million for iOS equivalents.
- Black market: criminal forums where exploits are sold to ransomware crews, fraud rings, and unvetted buyers.
The market matters to international relations because governments are major buyers. Commercial spyware vendors including NSO Group (Pegasus), Intellexa (Predator), and Candiru rely on zero-days to compromise journalists, dissidents, and officials. Citizen Lab and Amnesty International have documented dozens of such cases since 2016, prompting US Executive Order 14093 (March 2023) restricting federal use of commercial spyware, and the UK- and France-led Pall Mall Process launched in February 2024 to curb proliferation of commercially available cyber intrusion capabilities.
The market also fuels the vulnerabilities equities debate: when a state agency stockpiles a zero-day for intelligence use rather than disclosing it, the same flaw remains exploitable by adversaries. The 2017 WannaCry and NotPetya outbreaks, both leveraging EternalBlue — an SMB exploit reportedly developed by the NSA and leaked by the Shadow Brokers — are the canonical cautionary tale.
For MUN and policy researchers, the zero-day market sits at the intersection of export control regimes (notably the Wassenaar Arrangement's 2013 "intrusion software" controls), human rights law, and cyber norms discussions at the UN Open-Ended Working Group.
Example
In 2021, Citizen Lab reported that NSO Group's Pegasus spyware used a zero-click iMessage exploit known as FORCEDENTRY against Saudi activists, illustrating how zero-day market purchases translate into targeted surveillance.
Frequently asked questions
Generally no, but it depends on jurisdiction, the buyer, and export controls. The Wassenaar Arrangement and EU Dual-Use Regulation (2021/821) require licenses for exports of certain intrusion software outside trusted partners.
Keep learning