FWIW I don't agree with the assessment of the OP. While there are some security firms that do have contracts, the vast majority of NSA capability is internally developed (or developed under contract by defence contractors).
As for the "market assessment" I find it implausible. It seems to be based on the assumption that the demand for capabilities has decreased over time while the availability of good bugs has increased. This is at odds with reality.
I believe you on this a lot more than I believe anonymous employees of a firm known principally for giving a brand name to an Admin->Root privilege escalation bug.
I've contacted independent brokers before, many of whom allegedly resell primarily to "the US government". When asked about hypothetical Tor 0day, they quoted a price of $150,000 before their 20% broker fee. So I'm not sure that 6 figures for most trivial vulnerabilities fits the market.
(And obviously, I don't have such a 0day to sell, so I can't prove that they would actually pay up.)
People believe a lot of weird stuff about vulnerability prices. For instance, any time a post hits HN about someone getting a $500 bounty for an XSS, there's always a post or two saying that's a rip-off compared to the tens of thousands of dollars it would fetch on the black market --- as if single-site XSS vulnerabilities with a half-life measured in minutes were worth huge amounts of money.
I commented on this back when Facebook paid out $30k for that RCE. I know the Facebook security team points to this comment all the time. Maybe more people should read it:
Oh we're not talking trivial bugs or single-site XSS.
Disappointed that 'mediocre' vulns got interpreted in this thread as 'trivial'.
Mediocre doesn't mean trivial, extremely scoped or useless. Mediocre means that it is for sensitive but not widely deployed software, for widely deployed software on default config but is post-auth or is not reliable, or it is reliable and yiels high auth but requires pairing with another vulns (i.e. memory disclosure) or extended recon (revision number, etc).
A MySQL bug affecting recent revisions that causes arbitrary file overwrites with semi-controlled content but that requires unprivileged (guest) auth would meet this criteria.
Apologies for the confusion with the word 'mediocre' - I figured people here would know.
In general organizations in the offensive world will pay more than those in the defensive world. This is not a hard and fast rule, but mostly it is the case that offensive network operations stand to gain more from the use of 0days than vendors stand to lose by not paying for the disclosure to patch them. It's not really a good calculus to use data from vendors sales to calculate the other.
It's worth five figures to the buyer if they can make five figures or more of value from it.
Not speculating about nation states here but 'groups': making good money from post-Auth MySql RCE not totally absurd - Amazon, Rackspace, HP, Heroku and Jelastic all offer MySql-as-a-service, where you are given low privilege (maintained, geo-redundant, etc) account access to shared MySql instance. If there's more than five digits of business value stored in that database then a five digit exploit makes sense.
Or think about any of the (poorly written) bitcoin services out there that use some default phpAdmin creds for a database that also hosts their vault.
Six digits sounds about right for a Tor bug for one target depending on the specifics. The RCE bug used by the FBI recently against the Tor Firefox Bundle would have cost something similar, though the payload suspended the process where it could have resumed silently. It's not clear where that exploit was developed (my gut says in house but who knows?)
IIRC someone analyzed the payload and compared it to a Meterpreter and saw a lot of similarities. Could have been provided (hacked together?) by the person who sold the vuln.
Have you personally ever sold a vulnerability?