A zero-day vulnerability is a software flaw unknown to the vendor. Specialised researchers discover these bugs, then sell them through brokers to government buyers. Prices range from tens of thousands to millions of dollars depending on the target software and reliability of the exploit. This grey market operates largely outside public view, creating a supply chain for offensive cyber capabilities.