The black market in previously undiscovered vulnerabilities in commercial software is now so established, the average flaw sells for up to $160,000.
Costs depend on the sophistication of the vulnerability and the pervasiveness of the operating system or commercial software concerned.
In an attempt to counter this rapidly growing problem, many technology companies have started “bug bounty” reward programmes.
But Microsoft, which has stopped short of offering similar cash rewards before, was forced to come in with an offer of $100,000 for exploitation techniques against protections built into Windows 8.
Google, which recently upped its bounty to $20,000, and Facebook, which has so far paid only up to $20,000 for a single bug, may have to rethink their bug bounty programmes to remain effective.
The market is being driven upward by the increasing participation of governments eager to stay one step ahead of their rivals, according to the NYT report.
Top buyers of software flaws include the US, UK, Israel, Russia, India, Brazil, North Korea, Malaysia and Singapore, the paper said.
This is especially worrying in the light of the fact that some of these black market suppliers specialise in vulnerabilities in industrial control systems that can be used to access or disrupt national utilities such as electricity or water.
The rapid growth of the market for software vulnerabilities presents a serious challenge to commercial software producers. It also underlines the growing importance of supply chain security.
More on zero-day vulnerabilities and exploits
MySQL security analysis: Mitigating MySQL zero-day flaws
Adobe investigates zero-day that bypasses Reader X sandbox
Responding to the NYT report, Jeremiah Grossman, founder and CTO of WhiteHat Security said huge black market rewards are likely to tempt rogue developers to plant bugs in software.
“It is hard enough to find vulnerabilities in source code when developers are not purposely trying to hide them," he said.
Supply chain security has become an increasing priority as cyber attackers have also turned to infiltrating weakly defended companies to work their way up or down the supply chain to their end target.
In response to this concern, the UK’s Ministry of Defence has teamed up with nine large defence firms and telecoms providers to set up the Defence Cyber Protection Partnership (DCPP).
The DCPP is the latest in a series of cyber security initiatives by the government since cyber threats were categorised as one of the national defence priorities in 2010.
The partnership will look to implement controls and share threat intelligence to increase the security of the defence supply chain.