Comment by dadrian
2 months ago
I'd also add that the legality of law enforcement exploiting a server-side bug is much more of a gray area (or actually illegal), whereas there is a standard process for law enforcement or the intelligence community to get a court order that enables them to exploit devices that belong to a specific target (phone, laptop, etc).
There's also the thing where like, as you go from iOS Safari to Windows Chrome to Acrobat Reader or whatever, grey market prices plummet. The top-dollar targets all have multilayered runtime protections and whole teams that do nothing but security refactoring. No serverside software is hardened that way (excepting the Linux kernel, maybe, but Linux kernel bugs are a standard component of clientside exploit chains). You could infer a pretty low price.
I will say: at Matasano, we were once asked by an established security company that turned out to be a broker to find PHPBB vulnerabilities.