An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.

[1]  Tyler Moore,et al.  The Economics of Information Security , 2006, Science.

[2]  Laurence L. George,et al.  The Statistical Analysis of Failure Time Data , 2003, Technometrics.

[3]  Ramayya Krishnan,et al.  Software Diversity for Information Security , 2005, WEIS.

[4]  J. Kalbfleisch,et al.  The Statistical Analysis of Failure Time Data , 1980 .

[5]  P. Grambsch,et al.  Modeling Survival Data: Extending the Cox Model , 2000 .

[6]  Rahul Telang,et al.  Sell First, Fix Later: Impact of Patching on Software Quality , 2004 .

[7]  J. Kalbfleisch,et al.  The Statistical Analysis of Failure Time Data: Kalbfleisch/The Statistical , 2002 .

[8]  J. Kalbfleisch,et al.  The Statistical Analysis of Failure Time Data , 1980 .

[9]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[10]  Chaim Fershtman,et al.  Internet Security, Vulnerability Disclosure and Software Provision , 2005, WEIS.

[11]  Sarah Gordon,et al.  When Worlds Collide: Information Sharing for the Security and Anti-virus Communities , 1999 .

[12]  Christopher Podmore Information economics and policy: In the United States edited by Michael Rubin Libraries Unlimited, Littleton, CO 1983, 340 pp , 1984 .

[13]  Dmitri Nizovtsev,et al.  To Disclose or Not? An Analysis of Software User Behavior , 2006 .

[14]  Daniel Zelterman,et al.  Modeling Survival Data: Extending the Cox Model , 2002, Technometrics.

[15]  C. Belzil,et al.  Unemployment Insurance and Unemployment over Time: An Analysis with Event History Data , 1995 .

[16]  Qiu-Hong Wang,et al.  Hackers, Users, Information Security , 2006, WEIS.

[17]  Rahul Telang,et al.  An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price , 2007, IEEE Transactions on Software Engineering.

[18]  A. Ozment,et al.  Bug Auctions: Vulnerability Markets Reconsidered , 2004 .

[19]  Gordon B. Davis,et al.  Software Development Practices, Software Complexity, and Software Maintenance Performance: a Field Study , 1998 .

[20]  Dmitri Nizovtsev,et al.  Economic Analysis of Incentives to Disclose Software Vulnerabilities , 2005, WEIS.

[21]  Rahul Telang,et al.  Does information security attack frequency increase with vulnerability disclosure? An empirical analysis , 2006, Inf. Syst. Frontiers.

[22]  E. Kaplan,et al.  Nonparametric Estimation from Incomplete Observations , 1958 .

[23]  Terrence August,et al.  Network Software Security and User Incentives , 2006, Manag. Sci..

[24]  John D. Kalbfleisch,et al.  The Statistical Analysis of Failure Data , 1986, IEEE Transactions on Reliability.

[25]  Michael D. Smith,et al.  How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks , 2003, Financial Cryptography.

[26]  William A. Arbaugh,et al.  IEEE 52 Computer , 1985 .

[27]  Steve W. Manzuik,et al.  Windows of Vulnerability , 2006 .

[28]  Eric Rescorla,et al.  Is finding security holes a good idea? , 2005, IEEE Security & Privacy.

[29]  Lawrence A. Gordon,et al.  The economics of information security investment , 2002, TSEC.

[30]  J. Vaupel,et al.  The impact of heterogeneity in individual frailty on the dynamics of mortality , 1979, Demography.

[31]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[32]  M. S. Krishnan,et al.  An Empirical Analysis of Productivity and Quality in Software Products , 2000 .

[33]  W. Greene,et al.  计量经济分析 = Econometric analysis , 2009 .

[34]  Rahul Telang,et al.  Research Note - Sell First, Fix Later: Impact of Patching on Software Quality , 2006, Manag. Sci..

[35]  David A. Wheeler,et al.  Why Open Source Software / Free Software (OSS/FS, FLOSS, or FOSS)? Look at the Numbers! , 2005 .

[36]  L. J. Camp Pricing Security , 2000 .