Comment by tptacek

There's also the thing where like, as you go from iOS Safari to Windows Chrome to Acrobat Reader or whatever, grey market prices plummet. The top-dollar targets all have multilayered runtime protections and whole teams that do nothing but security refactoring. No serverside software is hardened that way (excepting the Linux kernel, maybe, but Linux kernel bugs are a standard component of clientside exploit chains). You could infer a pretty low price.

I will say: at Matasano, we were once asked by an established security company that turned out to be a broker to find PHPBB vulnerabilities.