While mostly hidden in private conversations, details sometimes emerge about the parallel economy of vulnerability exploits on underground forums, revealing just how fat of a wallet some threat actors have.
Some adversaries claim multi-million U.S. dollar budgets for acquiring zero-day exploits but those that don't have this kind of money may still have a chance to use zero-days if a new 'exploit-as-a-service' idea becomes reality.
Large exploit acquisition budgets
The dialog about vulnerabilities, both old and new, on cybercriminal communities sometimes includes offers to buy exploits for big money.
One forum user in early May offered $25,000 for proof-of-concept (PoC) exploit code for CVE-2021-22893, a critical-severity vulnerability in Pulse Secure VPN that had been
leveraged by Chinese hackers since at least April.
