[tptacek]

This comes up on every thread about vulnerabilities. Zerodium doesn't buy random one-off serverside bugs. It's not that they simply don't have a price listing for them; it's that they don't make a market for them at all.

It's not even cut-and-dried for the RCEs that firms like this do buy. Bounty programs at giant tech companies are generally aware of the market prices for RCEs and are not overtly trying to screw you over. The flip side is that the price you get from a broker is (1) negotiated and (2) tranched, so the "number" you get is a best-case, not guaranteed, and can collapse if the bug is burned before the IC agencies the broker sells it to finish using it to hurt people. The bounty number, on the other hand, is a sure thing.

But ~nobody is buying auth bypass vulnerabilities. Maybe if you can mint OG Twitter accounts and aren't worried about going to prison.