An examination of private intermediaries’ roles in software vulnerabilities disclosure

Software vulnerability disclosure has generated much interest and debate. Recently some private intermediaries have entered this market. This paper examines the effects of such private intermediaries on optimal timing of disclosure policy made by public intermediaries and vendors’ reactions. Our analysis of private intermediaries’ role suggests that public intermediary’s optimal disclosure time does not change with private intermediary’s participation. However, a vendor’s patch time increases when the probability of information leakage is low, if not non-existent. In other words, private intermediaries’ service decreases a vendor’s willingness to deliver quick patches. Empirical evidence with 1493 vulnerability observations from CERT/CC and other 326 different vulnerability observations from iDefense provided support for our analytical results.

[1]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[2]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[3]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[4]  Ramayya Krishnan,et al.  An Empirical Analysis of Vendor Response to Disclosure Policy , 2005, WEIS.

[5]  Lei Zhou,et al.  The Economic Cost of Publicly Announced Information Security Breaches: Empirical Evidence from the Stock Market , 2003, J. Comput. Secur..

[6]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[7]  Michael D. Smith,et al.  Computer security strength and risk: a quantitative approach , 2004 .

[8]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[9]  Huseyin Cavusoglu,et al.  Emerging Issues in Responsible Vulnerability Disclosure , 2005, WEIS.

[10]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[11]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..

[12]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[13]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[14]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[15]  Dmitri Nizovtsev,et al.  Economic Analysis of Incentives to Disclose Software Vulnerabilities , 2005, WEIS.

[16]  Chaim Fershtman,et al.  Internet Security, Vulnerability Disclosure and Software Provision , 2005, WEIS.

[17]  Andy Ozment,et al.  The Likelihood of Vulnerability Rediscovery and the Social Utility of Vulnerability Hunting , 2005, WEIS.