No, there isn't. Even the people who participate in the grey market for exploits (sales that aren't overtly prohibited by law and for which participation would be unlikely to make you an accessory to a felony) are very quiet about it.
But, a good starting point might be the analyses people have done on the Hacking Team leak.
What's your opinion on bug bounties for hosted applications v.s. bug bounties for actual pieces of software?
To me, the latter seem like a much more obviously good idea than the former. Notably, issues of somebody going out of scope- like the Facebook issue a while back- mostly disappear. Bounties on things like Chrome seem to be almost drama-free; the worst possible case, aside from somebody 0-daying a bug out of anger, is somebody not getting paid.
I don't know much about it tbh. tptacek and a few others have spoken extensively about bug bounties on HN. I'll try and dig up a few of their past comments.
Essentially what the argument comes down to is that a one off bug to exploit a company like Facebook is actually not worth very much to anyone on the black market because the bug is likely only valid for one company and that company will likely patch the bug very quickly. This leaves the attacker with a very narrow window to exploit the bug.
Attackers on the black market paying for exploits are looking to make money from those exploits. If there is only one place they can use the exploit and perhaps only have a few days or even hours to use it how much would it really be worth? The exploits that pay big on the black market are ones that are enormously widespread and less likely to be fixed quickly.
If I can find better, more detailed, explanations I'll post them here. Maybe tptacek can link to his past comments...
What's more is there can't really be an established "market" for a unique exploit. If a product isn't being regularly traded then there's no easily findable pool of buyers. There's also no ongoing/repeat business which outside of contract law (and even for plenty of business conducted under contract) is all there is to keep people honest.
You'd need to be very well connected to be able to get good value out of an exploit. There could very well be people that are. Hackers in leather dusters travelling the world exchanging thumb drives in shady third world bars, sounds cool as hell, in fact I hope there are people living that life just because it makes reality that little bit more interesting. But your average pen tester isn't that.
Whenever i see the "better value on the black market" crowd show up here I'm actually reminded of a, Jim Jefferies I think, bit about the black market not meaning you can just head down to the docks at night going "GUNS. I WANT TO BUY A GUN".
> [...] that company will likely patch the bug very quickly.
I have heard many instances where it isn't the case (some bugs are often being exploited for months before the company finds out)... and you probably did too... but anyways, as an example, you don't need a lot of time to copy lots of data...
But, a good starting point might be the analyses people have done on the Hacking Team leak.