Zero-day vulnerabilities have always been a race we seem to lose — attackers get the head start, and defenders scramble after the fact. A new platform called Desired Effect is trying to change that dynamic, and I believe it’s something we should be paying close attention to.

Desired Effect, founded by industry veteran Evan Dornbush, has launched an ethical marketplace for zero-day vulnerabilities. The goal is simple but powerful: give defenders rapid access to zero-day information and reward researchers directly, without waiting for the slow wheels of traditional responsible disclosure.

Most of us know the usual cycle: a researcher finds a flaw, reports it to a vendor, and waits — often months — while attackers may already be exploiting it. Desired Effect flips that:

• Researchers are in control and can sell their discoveries directly to vetted buyers.
• Defenders gain early access to vulnerabilities before public disclosure or widespread exploitation.
• No vendor-induced delays, meaning less time for attackers to act first.

Dornbush is clear: it’s not about bypassing responsible disclosure for its own sake — it’s about giving researchers a fairer, faster, and more controlled way to share their findings ethically.

The marketplace works like a transparent, legitimate trading floor for vulnerabilities:

• Researchers (sellers) list zero-day vulnerabilities.
• Organizations (buyers) purchase access to this intelligence to shore up their defenses.
• Buyers don’t purchase exclusive rights but licenses to the vulnerability information — similar to software licensing.
• Desired Effect handles vendor notifications and patch coordination if buyers prefer not to deal with that process.

Today, the platform is invite-only for researchers, but it’s already operating with 60 zero-days available. Early partners include a regional bank, a Big Four accounting firm, an energy utility, and a cryptocurrency exchange.

One of the smartest ideas I see here is how Desired Effect enables collective bidding. Instead of one hospital trying to outbid threat actors for a critical device vulnerability, multiple hospitals can pool resources to offer a fair market price. It’s a real-world way to bring security within reach for organizations that normally wouldn’t be able to compete against organized cybercrime budgets.

There’s an important reality to acknowledge: attackers may still eventually get the information. But Desired Effect ensures that defenders get it first, and faster than before.

This early warning advantage means:

• Quicker internal patches and mitigation
• Better protection before vulnerabilities are weaponized at scale
• More time to update security products like firewalls, IDS, and endpoint protection

Instead of reacting after a breach, we get the chance to proactively defend.

I see Desired Effect offering something we’ve needed for a long time: transparent, efficient access to critical zero-day information. It’s a disruption, yes — but one that moves the advantage back toward defenders.

If you’re serious about strengthening your organization’s security posture before the next supply chain or infrastructure-targeted attack, this kind of marketplace intelligence could quickly become a critical part of your toolkit.