That depends entirely on what the "0 day" is, and how it's packaged. Again: do you really think anyone's getting 5 figures for XSRFs in random Google properties? These are flaws that have instantaneously ZERO value once Google finds out they're being exploited --- unlike remote code execution flaws, which have a half-life.