What if the digital keys to your phone and company servers are quietly sold on invite‑only markets to the highest bidder?
Zero‑day flaws—bugs vendors don’t know about—move through a tight ecosystem of brokers, darknet auctions, and government and criminal buyers, often for tens to millions of dollars.
This post lays out how those deals work, who buys and sells, why some exploits command huge sums, and where defenders should focus first.
Read on for the market mechanics, price drivers, and practical steps to reduce risk.

Understanding the Market Mechanics Behind Zero‑Day Sales

A zero‑day vulnerability is a software flaw the vendor doesn’t know about yet. That means defenders get zero days to patch before someone starts exploiting it. These flaws change hands through a structured ecosystem built on technical validation, legal contracts, and encrypted comms. The average zero‑day stays private for 151 days before anyone discloses it, which creates a valuable window for offensive use. When researchers discover these vulnerabilities, they’ve got options: report them responsibly to the vendor, sell to brokers who flip them to governments and corporations, or auction them on darknet forums where buyers hide behind pseudonyms and pay in crypto.

The transaction workflow is pretty predictable. A researcher finds a vulnerability, builds a proof‑of‑concept exploit, and contacts a broker or posts an encrypted listing on a private forum. The broker checks if the exploit actually works (does it function across different device configurations?), whether it’s stealthy (does it leave forensic traces?), and how complex it is (is it a full chain or just a single primitive?). High‑value exploits combine zero‑click delivery, persistence that survives reboots, and cross‑platform compatibility. A remote code execution flaw in iOS that works silently and persists through updates? That’s worth way more than a browser bug that needs user clicks. Pricing shows the range: typical exploits go for $40,000 to $250,000, while elite iOS remote zero‑click chains hit $1.5 million to $2.5 million on platforms like Zerodium. Brokers like Crowdfense have outbid Zerodium by $1 million or more when selling to government clients in Saudi Arabia and the UAE.

Value drivers shape every negotiation. Stealth matters because once defenders spot an exploit in action, it’s done. Reliability determines whether it works on 90% of targets or just 10%. Chain complexity influences price since multi‑stage attacks are harder to develop and more powerful. Target class plays the biggest role: mobile operating systems command premium prices because governments want surveillance of phones. Server exploits appeal to ransomware operators. Obscure industrial systems used by adversaries can fetch six figures even with limited civilian applications. Brokers test exploits in controlled lab environments, running them against multiple device versions and recording success rates before resale. Researchers who consistently deliver high‑reliability exploits build reputations that unlock access to exclusive broker networks and repeat‑buyer relationships.

Primary sales channels:

Broker intermediaries like Zerodium, Crowdfense, Exodus Intelligence, and ReVuln purchase from researchers and resell to vetted government and corporate clients under nondisclosure agreements.

Government contractors including Lockheed Martin, Raytheon, Northrop Grumman, and more than 100 Beltway‑area firms that acquired exploits for intelligence and military applications by 2015.

Private vulnerability markets where boutique vendors offer subscription packages (for example, 25 zero‑days per year for $2.5 million) to institutional buyers.

Dark‑web auctions on invite‑only forums where sellers post encrypted listings, verify buyer credentials through trusted intermediaries, and use escrow services to avoid fraud.

Subscription exploit feeds that provide ongoing access to newly discovered vulnerabilities, letting clients maintain operational capability without per‑exploit negotiation.

Regulated bug‑bounty alternatives like HackerOne and Bugcrowd where researchers disclose vulnerabilities to vendors for legal payouts, usually $10,000 or less—orders of magnitude below offensive market rates.

Real‑world pricing from the market’s mature phase shows the financial scale. In the early 2000s, a decent Windows bug fetched around $50,000, while deep system‑access bugs reached $150,000. Government contractors who paid iDefense under $10,000 for vulnerabilities turned around and resold them for $150,000 by 2004. By the 2010s, Zerodium publicly listed up to $2 million for full‑chain iOS exploits. Android exploit chains ranged from $500,000 to $2.5 million depending on stealth and zero‑click capability. Brokers serving Middle Eastern governments reportedly carried $500,000 in cash to hotel meetings with Eastern European hackers. If a buyer projects $10 million in intelligence value from a specific target, paying $1 million for the exploit becomes cost‑effective. A hypothetical $25 million annual budget for exploit acquisition, at $40,000 to $250,000 per exploit, translates to roughly 86 to 541 additional zero‑days entering private circulation each year.

Key Participants in the Zero‑Day Selling Ecosystem

Nation‑states are the largest and most consistent buyers. Agencies including the NSA, GCHQ, Mossad, and China’s MSS both develop exploits internally and purchase externally to fill capability gaps or speed up operations. Historical sourcing patterns show governments prioritizing targets that align with geopolitical priorities: mobile operating systems for surveillance, industrial control systems for sabotage, and networking hardware for persistent espionage. Defense and intelligence spending jumped more than 50 percent in the five years after the 1998 embassy bombings and 9/11, flooding the exploit market with demand. Governments use exploits for signals intelligence, counterterrorism operations, and strategic cyber campaigns, which justifies prices private buyers can’t match. Israeli middlemen carried duffel bags with $500,000 in cash to buy zero‑days from Eastern European hackers. Unit 8200 veterans became both suppliers and intermediaries. The NSA maintained the largest cyberwarfare workforce and initially needed minimal contractor help, but as operations scaled, more than 100 contractors in the Beltway area joined by 2015.

Corporate buyers and defense contractors operate through structured procurement channels, often bundling exploit acquisition into classified contracts worth millions. Major firms like Lockheed Martin, Raytheon, Northrop Grumman, and Boeing expanded into zero‑day markets as cyber capabilities became core defense products. Some contractors stationed operations in Abu Dhabi, where Emiratis paid former NSA hackers for offensive services through entities like CyberPoint. Boutique vendors such as VUPEN (later rebranded as Zerodium and relocated closer to Beltway customers), Exodus Intelligence, and NetraGard specialized in sourcing and reselling exploits. These brokers act as quality‑control layers, testing reliability and negotiating exclusivity clauses before delivery. Contractors resold the same zero‑day exploits two, three, or four times to different government agencies. Commercial buyers also include private companies purchasing offensive tools for competitive intelligence or defensive research, though these transactions stay far less visible than government deals.

Criminal market participants operate at lower tiers, buying exploits that brokers reject or that have already been used and partially burned. Ransomware operators, credential‑theft gangs, and data‑exfiltration groups source vulnerabilities from private forums and dark‑web marketplaces where prices run lower than government contracts but still reach five or six figures for high‑value targets. Cybercriminals prioritize exploits with broad applicability—browser flaws, email client bugs, and remote desktop vulnerabilities—that enable mass campaigns rather than targeted espionage. The opacity of criminal markets makes volume estimates uncertain, but leaked comms and dark‑web seizures reveal active trading in both fresh zero‑days and older exploits that remain unpatched across large enterprise networks.

Distinct motivations drive each buyer category:

Espionage and intelligence collection by nation‑states seeking persistent access to foreign government, military, and corporate networks.

Surveillance and monitoring of dissidents, journalists, and political opponents by governments purchasing mobile exploits for targeted tracking.

Ransomware operations and financial theft by criminal groups deploying exploits to breach corporate environments and encrypt data for extortion.

Competitive intelligence and industrial espionage by corporations or state‑backed entities stealing trade secrets, intellectual property, and strategic plans.

Strategic deterrence and cyber‑weapon stockpiling by militaries building offensive arsenals to disable adversary infrastructure during conflicts.

How Zero‑Day Pricing and Valuation Are Determined

Brokers calculate exploit value by modeling the intersection of technical capability and buyer demand. Reliability stands as the primary factor: an exploit that works across 95% of target configurations commands higher prices than one requiring specific software versions or hardware. Persistence determines whether an exploit survives system reboots, security updates, or forensic sweeps. Bugs that embed deeply into firmware or kernel memory are worth more because they provide long‑term access. Zero‑click capability adds significant premiums. Exploits triggered by simply receiving a message or visiting a webpage are more operationally useful than those requiring a user to click a malicious link or open an attachment. Stealth matters because detectable exploits lose value once defenders observe them in action and develop signatures. Cross‑platform reach multiplies value: a single vulnerability affecting iOS, Android, Windows, and macOS fetches more than a platform‑specific flaw. Exploit longevity influences pricing models, with brokers offering higher payouts for flaws in software with slow patch cycles or large legacy install bases.

Historical price examples show the range and evolution. In the 1990s, government agencies paid contractors roughly $1 million for a set of 10 zero‑day exploits, budgeting approximately $500,000 to acquire bugs and develop working exploits. Early market prices included around $50,000 for a decent Windows bug and up to $100,000 for bugs in obscure systems used by key adversaries. By the early 2000s, iDefense launched one of the first public bug bounty programs, initially paying $75 to $500 per vulnerability. But government contractors soon offered $150,000 for bugs iDefense had purchased for under $10,000. As mobile computing grew, so did prices: Zerodium offered up to $1 million for remote iPhone hacking exploits, later increasing to $2.5 million. Brokers like Crowdfense, selling to Saudi and Emirati clients, outbid Zerodium by $1 million or more. The market’s maturation brought subscription models, such as 25 zero‑day exploits per year for $2.5 million—an effective per‑exploit price of $100,000.

Market forces keep pushing prices upward as attack surfaces harden and high‑value targets invest in defenses. Buyers increasingly demand full kill chains—complete sequences from initial access through command‑and‑control beaconing, data exfiltration, and obfuscation—rather than single primitives.

The Transaction Process for Selling Zero‑Day Exploits

Initial contact between seller and buyer happens through encrypted messaging platforms including Signal, Wickr, and Telegram, or via introductions on invite‑only forums where reputation systems vet participants. Researchers who discover a vulnerability often reach out to known brokers first, submitting a technical summary that describes the affected software, attack vector, and potential impact without revealing exploitation details. Brokers evaluate the submission, request additional technical evidence, and negotiate terms including price, exclusivity, and delivery timelines. Sellers maintain operational security by avoiding digital identity verification when possible, using pseudonyms, VPNs, and burner communication accounts. Brokers who establish long‑term relationships with prolific researchers may offer retainer agreements or priority pricing for future discoveries.

Proof‑of‑concept validation is the critical gate before payment. Sellers provide demonstration videos showing the exploit in action, test harnesses that allow brokers to reproduce results in isolated lab environments, and reliability metrics documenting success rates across device configurations. Brokers run exploits against multiple software versions, operating system builds, and hardware models to confirm consistency. High‑value transactions may involve in‑person meetings in neutral locations—hotel rooms in Eastern Europe, security conferences, or offices in jurisdictions with favorable legal climates. Historic deals included Israeli middlemen transporting up to $500,000 in cash to hotel meetings with Eastern European hackers who’d developed exploits for government buyers. The validation phase can take days or weeks. Failed validation ends the transaction. Partial failures trigger renegotiation or price reductions.

Contracts, nondisclosure agreements, and legal protections formalize the deal once validation succeeds. Brokers require sellers to sign NDAs prohibiting public disclosure or resale to competitors. Exclusivity clauses prevent sellers from offering the same exploit to multiple buyers, though enforcement remains difficult in underground markets. Some brokers use classified arrangements when selling to government clients, wrapping transactions in national‑security protections that shield details from public scrutiny. Legal contracts specify delivery formats (source code, compiled binaries, or hosted exploitation services), liability limitations (brokers disclaim responsibility for how buyers use exploits), and warranty terms (usually none—exploits are sold “as‑is” with no guarantee of future functionality). The opacity of these agreements means most terms remain secret, visible only when leaks or breaches expose internal comms.

Payment and delivery complete the transaction through escrow services and crypto transfers. Escrow intermediaries—often trusted brokers or forum administrators with established reputations—hold funds until both parties confirm successful delivery and validation. Crypto payments, primarily Bitcoin and Monero, provide pseudonymity and cross‑border transfer capability. Historic cash transactions still occur for high‑value deals, but most modern exchanges use digital currency to reduce physical risk and simplify logistics. Sellers deliver exploits via encrypted file transfer, air‑gapped USB drives handed over in person, or secure cloud storage with time‑limited access credentials. Brokers then test the delivered exploit one final time before releasing payment and, if reselling, begin marketing to their client base under new NDAs.

The process from initial contact to payment usually unfolds in five steps:

Initial contact and technical pitch. Seller reaches out via encrypted channel, provides vulnerability summary, and proposes terms. Broker evaluates market fit and requests additional evidence.

Proof‑of‑concept validation. Seller delivers demonstration video, test harness, and reliability data. Broker reproduces exploit in controlled environment and assesses cross‑platform performance.

Contract negotiation and NDA execution. Parties agree on price, exclusivity, delivery format, and legal protections. Seller signs nondisclosure agreement and any required classified or proprietary agreements.

Payment escrow and fund commitment. Buyer transfers funds to escrow service or directly to seller if trust is established. Escrow holds payment pending final delivery and confirmation.

Exploit delivery and fund release. Seller provides full exploit package. Broker validates final delivery, confirms functionality, and releases escrowed payment.

Legal Channels Versus Gray and Black Markets for Zero‑Days

Bug bounty programs emerged as vendor‑sponsored alternatives to private sales, paying researchers to disclose vulnerabilities directly to affected companies. Platforms like HackerOne and Bugcrowd run programs for hundreds of vendors, offering payouts that usually range from a few hundred dollars to around $10,000 for serious flaws. Microsoft and Facebook operate collaborative programs that reward responsible disclosure with public recognition and financial compensation. These legal channels appeal to researchers who prioritize ethics, legal safety, and long‑term reputation over maximum profit. But the financial gap between bug bounties and offensive markets is stark: a mobile remote code execution exploit might earn $10,000 through a bug bounty but fetch $1 million or more from brokers selling to governments. This disparity undermines purely defensive incentives, especially for researchers in low‑income regions where a single high‑value sale can represent years of earnings.

Commercial vulnerability purchase programs sit in a middle ground between full disclosure and private sales. iDefense and TippingPoint’s Zero Day Initiative purchased nearly 2,400 bugs combined through September 2013, paying researchers for vulnerabilities and later disclosing them to vendors under coordinated timelines. iDefense’s average hold time between purchase and public disclosure was 133 days. ZDI’s was 174 days. During 2010–2012, these two programs published 1,026 vulnerabilities and held about 58 unpublished vulnerabilities on any given day affecting Microsoft, Apple, Oracle, or Adobe. The hold periods allow vendors time to develop and deploy patches before public disclosure, reducing zero‑day windows for attackers. Critics argue these programs still create exposure: vulnerabilities held for months remain exploitable, and some purchased flaws are resold to government clients rather than disclosed. Commercial VCPs pay more than vendor bug bounties but far less than offensive brokers—iDefense capped payouts at $10,000—creating a financial incentive for sellers to route high‑value discoveries to gray‑market brokers instead.

Coordinated vulnerability disclosure workflows involve structured reporting to vendors, temporary embargoes while patches are developed, and public CVE assignment once fixes are available. Vendors rely on this process to manage patch cycles, communicate risks to users, and minimize exploit windows. CVE assignments follow standardized reporting through organizations like MITRE, with severity scores guiding prioritization. Responsible disclosure incentives include recognition in vendor security bulletins, invitations to security conferences, and eligibility for future bug bounty payouts. Yet the process depends on vendor responsiveness: slow patch cycles or dismissive responses push researchers toward private sales.

Incentive differences between legal and private channels:

Financial payout disparity. Bug bounties pay $10,000 or less for serious flaws. Offensive brokers pay $100,000 to $2.5 million for the same vulnerabilities.

Legal and reputational safety. Legal disclosure protects researchers from prosecution and builds public reputation. Private sales carry legal risk and require operational secrecy.

Ethical alignment and public benefit. Responsible disclosure fixes vulnerabilities for all users. Private sales leave flaws unpatched, exposing millions to exploitation.

Speed and certainty of payment. Bug bounties and VCPs provide predictable, structured payouts. Gray‑market transactions involve negotiation, validation delays, and fraud risk.

Regulatory, Ethical, and Policy Implications of Zero‑Day Sales

International regulation of the zero‑day market remains fragmented and inconsistent. The Wassenaar Arrangement, a multilateral export control regime involving 42 countries, includes intrusion software in its controlled list, requiring member states to regulate the sale and transfer of offensive cyber tools. But implementation varies widely: some nations enforce strict licensing and end‑use monitoring, while others apply minimal oversight. The lack of a binding global treaty means brokers and buyers can exploit jurisdictional gaps, relocating operations to countries with favorable legal climates. UN and EU discussions on cyber norms have produced non‑binding principles advocating for responsible state behavior, but enforcement mechanisms don’t exist. The Wassenaar controls aim to prevent proliferation of cyber weapons to authoritarian regimes and criminal actors, yet the market’s opacity and cross‑border nature make compliance monitoring difficult.

The U.S. Vulnerabilities Equities Process, introduced in 2014, established a framework for deciding whether to disclose a discovered or purchased vulnerability to the vendor or retain it for intelligence and military use. The VEP evaluates factors including the severity of the flaw, the number of affected users, the likelihood of independent discovery by adversaries, and the operational value of retaining the exploit. Critics argue the process lacks transparency, with no public data on how many vulnerabilities are retained versus disclosed. Government agencies face a trade‑off: disclosing vulnerabilities protects critical infrastructure and civilian systems, but retention preserves offensive capabilities and intelligence access. The VEP’s existence acknowledges the tension, but its classified nature prevents independent verification of whether decisions balance public safety with national security. Legal risks for exploit sellers vary by jurisdiction. Selling to sanctioned entities or contributing to human rights abuses can trigger criminal prosecution, while sales to allied governments through licensed brokers often proceed without legal consequence.

The risks of hoarded exploits became clear through high‑profile leaks. The Shadow Brokers leak in 2016 exposed a trove of NSA zero‑day exploits, which were subsequently used in the WannaCry and NotPetya ransomware outbreaks, causing billions of dollars in global damage. The Hacking Team breach revealed that the Italian surveillance vendor had sold zero‑days to authoritarian governments, which used them to target journalists, activists, and dissidents. These incidents show collateral risk: exploits stockpiled for strategic advantage can escape government control and fuel widespread harm. The cumulative economic and security impacts of leaked zero‑days are estimated in the billions, with cascading effects on critical infrastructure, healthcare systems, and civilian networks. Public policy debates continue over whether governments should be allowed to purchase and hoard vulnerabilities at all, with transparency advocates pushing for mandatory disclosure timelines and independent oversight of retention decisions.

Historical Evolution and Case Studies in the Zero‑Day Market

The zero‑day market’s origins trace to the late 1990s, when government contractors began informal acquisition of software vulnerabilities from hackers. In the 1990s, agencies paid roughly $1 million for sets of 10 exploits, budgeting about $500,000 to source bugs and develop working tools. Early transactions were cash‑based, conducted through personal networks and hacker conferences. The CIA formed a special working group in late 1995, determining the agency was unprepared for internet‑based intelligence gathering, which spurred investment in offensive cyber tools. The dotcom boom temporarily diverted technical talent into startups, but the crash in 2002—when five trillion dollars in paper wealth vanished and half of all dotcom companies disappeared—pushed skilled hackers back into consulting and vulnerability research. Nasdaq reached its lowest point in September 2002, the same year John P. Watters acquired iDefense for $10 and began transforming it into a commercial vulnerability broker.

iDefense launched one of the first public bug bounty programs in 2003, paying $75 to $500 per vulnerability and receiving approximately 1,000 submissions in the first 18 months, with half being unusable. Symantec’s acquisition of SecurityFocus for $75 million threatened iDefense’s access to the BugTraq hacker forum, forcing Watters to pivot toward direct government sales. By late 2003 and early 2004, government contractors offered iDefense $150,000 for bugs the company had purchased for under $10,000. Watters sold iDefense for $40 million in July 2005. Defense and intelligence spending surged more than 50 percent in the five years following the 1998 embassy bombings in Nairobi and Dar es Salaam and the 9/11 attacks, flooding the market with capital. Israeli middlemen emerged as key intermediaries, transporting $500,000 in cash to Eastern European hackers who’d become major suppliers after the Soviet Union’s breakup. Unit 8200 veterans, among the world’s most talented hackers, participated as both sellers and brokers.

By the mid‑2000s, the market expanded internationally. French broker VUPEN operated from Montpelier before rebranding as Zerodium and relocating closer to U.S. government clients. Boutique firms like ReVuln, NetraGard, Endgame Systems, and Exodus Intelligence offered subscription packages and one‑off sales to government and corporate buyers. More than 100 contractors in the Beltway area were involved in the zero‑day business by 2015, and major defense contractors including Lockheed Martin, Raytheon, Northrop Grumman, and Boeing added cyber divisions focused on exploit acquisition and tool development. The market’s professionalization brought structured contracts, lab validation, and repeat‑buyer relationships, but also increased secrecy and reduced transparency. The Grugq, a South African exploit broker based in Bangkok, was blacklisted by government buyers after discussing his business with Forbes magazine in 2012.

High‑profile cases and leaks reshaped the market’s risk calculus:

Stuxnet (2010). A sophisticated worm using multiple zero‑days targeted Iranian nuclear facilities, demonstrating the strategic use of stockpiled exploits for physical sabotage and marking the first widely documented cyber‑weapon with real‑world destructive impact.

Shadow Brokers leak (2016). A mysterious group leaked NSA zero‑day exploits, which criminal actors repurposed into WannaCry and NotPetya ransomware, causing billions in damage and showing the collateral risks of government exploit hoarding.

Hacking Team breach (2015). A breach of the Italian surveillance vendor exposed sales of zero‑days to authoritarian regimes, revealing how private brokers enable human rights abuses and fuel targeted surveillance of dissidents and journalists.

iDefense commercialization (2003–2005). The first large‑scale public bug bounty program that evolved into a government contractor supplier, establishing the broker model and proving the financial viability of vulnerability acquisition as a standalone business.

Zerodium pricing milestones (2015–present). Public disclosure of million‑dollar bounties for iOS exploits brought transparency to offensive pricing and sparked public debate over whether such markets should be legal or regulated.

The Future of Zero‑Day Exploit Trading

Demand for zero‑day exploits is expected to grow as more critical systems move online, encryption proliferates, and nations invest in cyber capabilities. Proliferation of Internet‑of‑Things devices, cloud infrastructure, and industrial control systems expands the attack surface, creating new categories of high‑value targets. Governments continue to prioritize offensive cyber tools for espionage, surveillance, and strategic deterrence, ensuring sustained buyer demand. Boutique firms already produce more than 100 exploits per year each, with an estimated 85 zero‑days available on any given day from private providers. Market segmentation by severity and target class will likely deepen, with specialized brokers focusing on mobile exploits, industrial systems, or cloud environments. Subscription models and exploit‑as‑a‑service offerings will grow, allowing buyers to maintain operational capabilities without per‑vulnerability procurement negotiations.

Technological shifts will reshape both supply and demand. Artificial intelligence and automated fuzzing tools may reduce the cost and time required to discover vulnerabilities, increasing supply and potentially lowering per‑exploit prices for common target classes. Elite exploits—those with zero‑click delivery, cross‑platform reliability, and deep persistence—will remain expensive because developing and testing full chains still requires significant expertise. Memory‑safe languages like Rust are gaining adoption, which may reduce the prevalence of memory‑corruption bugs that have historically dominated high‑value exploit categories. As these languages replace C and C++ in critical codebases, attackers will shift focus to logic flaws, authentication bypasses, and supply‑chain vulnerabilities. Endpoint security improvements, including hardware‑based attestation and kernel‑level protections, will raise the bar for reliable exploits, pushing prices higher for vulnerabilities that bypass modern defenses.

Organizations and vendors face growing risks as the market matures. The existence of a lucrative private market for zero‑days undermines coordinated disclosure and lengthens the window during which users remain vulnerable. Vendors must speed up patch cycles, invest in vulnerability rewards programs that compete financially with gray‑market brokers, and adopt defensive engineering practices that reduce exploitable attack surfaces. Enterprises should assume that high‑value zero‑days targeting their environments are already in circulation, held by adversaries who purchased them from brokers. Risk mitigation includes deploying layered defenses, monitoring for anomalous behavior that might indicate zero‑day exploitation, and prioritizing patches for software commonly targeted in the marketplace. As AI‑driven automation increases discovery rates and global cyber budgets grow, the zero‑day market will remain a central force shaping the balance between offense and defense in cyberspace.

Final Words

In the action, the piece walked through discovery, broker intermediaries, and the sale workflow, including encrypted comms, PoCs, NDAs, escrow, and crypto payments.

We showed what drives value, like stealth, reliability, chain complexity, and target class, and gave price examples from $40k up to $2M+ for elite chains. We listed primary sales channels and compared legal to gray markets.

If you need one takeaway, understanding how zero day vulnerabilities are sold helps teams prioritize patching and risk mitigation. Stay proactive and optimistic — defenses keep getting better.

FAQ

Q: Is it legal to find zero-day vulnerabilities?

A: Finding zero-day vulnerabilities is legal in many jurisdictions, but how you test, disclose, or sell them can break laws or contracts; permission, disclosure policy, and local rules determine legality.

Q: How are zero-day vulnerabilities found?

A: Zero-day vulnerabilities are found by security researchers using fuzzing, static and dynamic analysis, code review, reverse engineering, and AI-assisted tools to trigger and reproduce unknown bugs before vendors patch them.

Q: What is a common method to exploit a zero-day vulnerability?

A: A common method to exploit a zero-day is chaining the bug into a remote code execution payload delivered via crafted network traffic, malicious documents, or drive-by browser code to gain unauthorized control.

Q: What is the most famous zero-day vulnerability?

A: The most famous zero-day is EternalBlue and related NSA tools leaked by Shadow Brokers; EternalBlue powered the WannaCry worm and highlighted risks from hoarded governmental exploits.