Finding the right vulnerability and selling it as a zero-day exploit to the right person could be just as lucrative as a lucky draw in the lottery. Forbes is running an article in which a middle-man is hooking up hackers with "government agencies" that are willing to pay $250,000 for a vulnerability - and possibly more. Apparently, a dozen of such deals were struck in 2011 and if this author's math is right, about five dozen deals may go down through this one individual this year.
According to the article and security middleman "the Grugq", an Adobe Reader issue can bring up to $30,000, a MacOS X vulnerability up to $50,000, and an Android exploit up to $60,000. Flash or java will take you to $100,000, Word to $100,000, Windows to $120,000, Firefox or safari to $150,000, Chrome or IE to $200,000 and iOS to $250,000. iOS jailbreaks can also get quite a bit of money - apparently, agencies are ready to pay a quarter million dollars for the exclusive rights to a stack.
In one case, the Grugq noted that he may have "lowballed" a iOS vulnerability for $250,000. Hackers approaching the Grugq will have to hand over the vulnerability "and not ask too many questions" - and pay a 15 percent sales fee. According to the Forbes article, buyers are "Western governments" and "specifically the U.S." The Grugq said that he is not selling the vulnerabilities to other entities: “Selling a bug to the Russian mafia guarantees it will be dead in no time, and they pay very little money,” he told Forbes. ”Russia is flooded with criminals. They monetize exploits in the most brutal and mediocre way possible, and they cheat each other heavily.” He added that he has no contacts to the Russian mafia.