NICOLE PERLROTH and DAVID E. SANGER:

Still, said Mr. Soghoian of the A.C.L.U., “The bounties pale in comparison to what the government pays.” The military establishment, he said, “created Frankenstein by feeding the market.”

In many ways, the United States government created the market. When the United States and Israel used a series of flaws — including one in a Windows font program — to unleash what became known as the Stuxnet worm, a sophisticated cyberweapon used to temporarily cripple Iran’s ability to enrich uranium, it showed the world what was possible. It also became a catalyst for a cyberarms race.

When the Stuxnet code leaked out of the Natanz nuclear enrichment plant in Iran in the summer of 2010, the flaws suddenly took on new value. Subsequent discoveries of sophisticated state-sponsored computer viruses named Flame and Duqu that used flaws to spy on computers in Iran have only fueled interest.

“I think it is fair to say that no one anticipated where this was going,” said one person who was involved in the early American and Israeli strategy. “And today, no one is sure where it is going to end up.”