I got discussing this topic with someone recently and we couldn't reach a consensus so I thought I should ask here. There are commonly thrown around figures regarding the cost of buying a remotely-executable 0-day for IOS, Android, Windows etc. I've seen figures go up to $250,000 USD from companies like Vupen, however Vupen don't disclose anywhere on their site how much they will buy or sell exploits for.
With that in mind, is there any concrete proof of high-value exploits being bought and sold by companies and if so at what kind of prices (I'm excluding things like bug bounty programs etc and i've seen this article but i'm not convinced).
In addition to 'legally' acquired exploits, how much do comparable exploits go for on the 'black market'?