Charlie has actually written about this issue before in a more academic context:
weis2007.econinfosec.org/papers/29.pdf
Based on the limited data in the paper, it seems that it's the government rather than the vendors that is actually setting the price in the legitimate market, at least for high quality exploits.
I think the X*(billing rate) calculation ignores the risk that the researcher took. It's a little like saying that a startup should be worth exactly the amount of money that has been invested in it.
weis2007.econinfosec.org/papers/29.pdf
Based on the limited data in the paper, it seems that it's the government rather than the vendors that is actually setting the price in the legitimate market, at least for high quality exploits.
I think the X*(billing rate) calculation ignores the risk that the researcher took. It's a little like saying that a startup should be worth exactly the amount of money that has been invested in it.