[1] Worldwide, countries have appointed public institutions to deal with this issue, but they will likely conflict with the interest of their own government to access people's information in order to prevent crime.
Governments face a trade-off between protecting their citizens' privacy through the reporting of vulnerabilities to private companies on one hand and undermining the communication technologies used by their targets—who also threaten the security of the public—on the other.
[4] Hence, only users and private firms have incentives to minimize the risks associated with zero-day exploits; the former to avoid an invasion of privacy and the latter to reduce the costs of data breaches.
The definition given to the demand component will also be challenged because it is paramount to understand the nature of the markets (i.e. white, gray and black) and its regulation or lack thereof.
Unlike e-books or digital videos, they do not lose their value because they are easy to replicate but due to the fact that once they are exposed, the original developer will "patch" the vulnerability, decreasing the value of the commodity.
While the latter has been the dominant trend in the last few years, prices in the gray market are set in dollars, as shown by the leaks of Hacking Team's email archive.
[8] Classically, black markets—like illegal weapons or narcotics—require a huge network of trusted parties to perform the transactions of deal-making, document forgery, financial transfers and illicit transport, among others.
Zero-days, on the other hand, are virtual products and can be easily sold without intermediaries over the internet as available technologies are strong enough to provide anonymity at a very low cost.
The supply chain is complex and involves multiple actors organized by hierarchies, where administrators sit at the top, followed by the technical experts.
Second, these "half-day exploits"[12] can be used through graphical interfaces and learned through freely available tutorials, which means that very little expertise is required to enter the market as a seller.
Half-day exploits are usually traded in more easily accessible places but zero-days often require "double-blind" auctions and the use of multiple layers of encryption to evade law enforcement.
On average, prices reported until 2014 were less than ten thousands of dollars but special offers up to $100,000 were made to certain vulnerabilities based on the type, criticality, and nature of the affected software.
Hacking Team states in their website that they "do not sell products to governments or to countries blacklisted by the U.S., EU, UN, NATO or ASEAN", although they have been found infringing their own policy.
However, it is likely to be the case that some of these procedures are applied in both white and black markets as well: Buyers follow standard technology purchasing practices around testing, delivery, and acceptance.
Payments are typically made after a 0day exploit has been delivered and tested against requirements, necessitating sellers to trust buyers to act in good faith.
Brokers and bounty programs, which could be seen as retailers of zero-days, have no control whatsoever on the original producers of the "bad" as they are independently discovered by different, and often anonymous, actors.
It can be argued that the presence of intelligence agencies as consumers of this "bad" could increase the price of zero-days even further as legitimate markets provide bargaining power to black-market sellers.
They published the formats required for vulnerability submissions, their criteria to determine prices—the popularity and complexity of the affected software, and the quality of the submitted exploit—and the prices themselves.