RAND corporation recently received rare access to study a couple hundred 0-day vulnerabilities and their exploits.
It turns out that 0-day vulnerability discoveries live for about 6.9 years, and that the ones found by a pair of serious opponents (typically nation-state governments) have only a few percent overlap. This means that releasing discoveries to the public provides very little defensive value while obviously destroying offensive ability.
The report (summary and full text[PDF]) includes quite a bit more about the industry, including some estimates of pricing and headcount.
(Score: 0) by Anonymous Coward on Tuesday March 21 2017, @06:21AM
The PDF explains it well. There are a bunch of fancy statistics, particularly relating to lifetime. The weakest assumption is that the set of vulnerabilities found in the private set of about 200 is of a similar nature as the ones that are public. Still, it's not a bad assumption, especially given the known properties of that set of vulnerabilities. From there we may compute the chance that a pair of adversaries will discover the same bugs or different bugs.
The NSA may well be releasing a steady stream of foreign-discovered 0-days to 'our team'. There is no way they'd take credit for it. Probably they'd use anonymous bug reports to the vendor.