They pay what they need to pay. I'm sure they're also monitoring the dark web for black hats selling vulnerabilities instead of collecting bounties.

Google and Apple's bids weren't high enough to get anyone in dozens of shady governments with access to NSO Group's services to successfully risk adding burner phones and then analyze these attacks.

I think any alternative explanation to too cheap is even less savory.

People will sell bugs on the grey market no matter what Google pays, because not everybody can do business with Google.

A reminder that grey market exploit purchases are tranched; the figures you hear for them are payout caps, not lump sums. If your bug is burned before all the tranches pay out, you're SOL.

True, but I think you missed my point a little.

The NSO group has been entrusting its vulnerabilities to people who would happily embezzle if it is some sufficient amount of money. If the bounty is ~2X these people's typical price in many countries that are NSO Group clients, then it is remarkable these bugs aren't being burned as a form of embezzlement. Your description of tranched payment risk only makes that more remarkable.

NSO's clients have effectively unlimited budgets. The bang for the buck on exploits is probably pretty shocking compared to alternative intelligence collection methods; sending actual people out to do stuff is incredibly expensive. When you raise the price of exploits --- which you should do for other reasons! --- you don't necessarily harm NSO. Since they effectively take a cut of exploit valuation, you may even help them.

As with any asset that's hard to lock down, if the scrap value is high enough relative to salary of employees then they can't estimate how many phones can be exploited before the next "steal stuff from work" event.

As such the NSO Group would end up limiting its clients to fit its pipeline and have trouble buying exploits since most other market participants have a single workforce with a drastically lower rate of loss.

I think that would devolve to countries needing to pay liability pricing per attack on possible honeypot phone's, etc, and more countries being cut off like Morocco, so no more using it like an unlimited plan. Sure these countries have unlimited budgets relative to their own GDPs, but when they can't find stability acting as a group they are all back to bidding for unique vulnerabilities, and there probably aren't 212 great ones on every platform at all times.

NSO's clients are all organizations with effectively unlimited budgets. That's the premise. Even the shadier companies in NSO's space sell principally to state actors. It's unlikely that Google can drive the price of an exploit past the level that any country can pay for. These are petty cash figures.

NSO builds implant technology, so they add some value of their own, but NSO is essentially a middleman in this market. Driving up the prices of the underlying asset, when buyers aren't price sensitive, helps the middleman.