Emerging Issues in Responsible Vulnerability Disclosure

Security vulnerability in software is the primary reason for security breaches, and an important challenge for IT professionals is how to manage the disclosure of vulnerability information. The IT security community has proposed several disclosure policies, such as full vendor, immediate public and hybrid, and has debated which of these should be adopted by coordinating agencies such as CERT. Our early study (Cavusoglu et al. 2004a) analyzed the optimal disclosure policy that minimizes social loss when vulnerability affects only one software vendor. In this paper, we extend our early work into three directions in order to sled light on current issues in vulnerability disclosure process. (i) When the vulnerability affects multiple vendors, we show that the coordinator’s optimal policy cannot ensure that every vendor will release a patch. However, when the optimal policy does elicit a patch from each vendor, we show that the coordinator’s grace period in the multiple vendor case falls between the grace periods that it would set individually for the vendors in the single vendor case. (ii) We analyze the impact of an early discovery, which can be encouraged with proper incentive mechanisms, on the release time of the patch, the grace period, and the social welfare. (iii) We also investigate the impact of an early warning system that provides privileged vulnerability information to selected users before the release of a patch for the vulnerability on the social welfare. Finally, we explore the several policy implications of our results and their relationship with current disclosure practices.

[1]  Detmar W. Straub,et al.  Coping With Systems Risk: Security Planning Models for Management Decision Making , 1998, MIS Q..

[2]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[3]  Robert E. Verrecchia The Use of Mathematical Models in Financial Accounting , 1982 .

[4]  Paul E. Fischer,et al.  Public Information and Heuristic Trade , 1998 .

[5]  Robert E. Verrecchia,et al.  Competitive Disadvantage and Discretionary Disclosure in Industries , 1997 .

[6]  Robert M. Bushman,et al.  Public Disclosure and the Structure of Private Information Markets , 1991 .

[7]  Joel S. Demski,et al.  Market response to financial reports , 1994 .

[8]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[9]  Tiina Havana Communication in the software vulnerability reporting process , 2003 .

[10]  Linda Pesante,et al.  CERT® Coordination Center , 2002 .

[11]  Russell J. Lundholm Public Signals and the Equilibrium Allocation of Private Information , 1991 .

[12]  Peter Mell,et al.  Procedures for Handling Security Patches | NIST , 2002 .

[13]  Sanford J. Grossman On the Impossibility of Informationally Efficient Markets , 1980 .

[14]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[15]  Danna Voth,et al.  Software Flaws: To Tell or Not to Tell? / Open Source in the US Government , 2003, IEEE Softw..

[16]  Huseyin Cavusoglu,et al.  Model for Evaluating , 2022 .

[17]  Houston H. Carr,et al.  Threats to Information Systems: Today's Reality, Yesterday's Understanding , 1992, MIS Q..

[18]  Detmar W. Straub,et al.  Effective IS Security: An Empirical Study , 1990, Inf. Syst. Res..

[19]  Ethan M. Preston,et al.  Computer Security Publications: Information Economics, Shifting Liability and the First Amendment , 2002 .

[20]  David N. Weil,et al.  Full Disclosure , 1996 .

[21]  Peter Mell,et al.  Procedures for handling security patches , 2002 .

[22]  Fred Niederman,et al.  Information Systems Management Issues for the 1990s , 1991, MIS Q..

[23]  Huseyin Cavusoglu,et al.  ASSESSING THE VALUE OF DETECTIVE CONTROL IN IT SECURITY , 2002 .

[24]  Juha Röning,et al.  Agents of responsibility in software vulnerability processes , 2004, Ethics and Information Technology.

[25]  Marcel Worring,et al.  NIST Special Publication , 2005 .

[26]  J. Röning,et al.  The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases , 1999 .

[27]  Kishor S. Trivedi,et al.  On the Analysis of Software , 1997 .

[28]  Huseyin Cavusoglu,et al.  The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers , 2004, Int. J. Electron. Commer..