To Disclose or Not? An Analysis of Software User Behavior

We address the ongoing debates over disclosing information about software vulnerabilities through an open public forum. A game-theoretic approach is used to show that full public disclosure can be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full disclosure of vulnerabilities improves social welfare and analyze the effect of vendor and product characteristics, as well as the composition of the pool of software users on the decisions to disclose. We also provide conditions under which user threats to vendors to disclose after a grace period or users’ ability to develop fixes themselves further improve welfare. The likelihood that user-developed fixes improve welfare increases with user familiarity with the details of software, providing an argument for ‘‘open source’’ software. 2006 Elsevier B.V. All rights reserved. JEL classification: A12; C72; D81; L15

[1]  Anindya Ghose,et al.  The Economic Incentives for Sharing Security Information , 2004, Inf. Syst. Res..

[2]  Rahul Telang,et al.  Impact of Software Vulnerability Announcements on the Market Value of Software Vendors - an Empirical Investigation , 2005, WEIS.

[3]  A. Arora,et al.  Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis , 2004 .

[4]  J. Nash Equilibrium Points in N-Person Games. , 1950, Proceedings of the National Academy of Sciences of the United States of America.

[5]  Lawrence A. Gordon,et al.  Sharing Information on Computer Systems Security: An Economic Analysis , 2003 .

[6]  Erin Kenneally stepping on the digital scale: duty and liability for negligent Internet security , 2001 .

[7]  Crispin Cowan,et al.  Timing the Application of Security Patches for Optimal Uptime , 2002, LISA.

[8]  Josh Lerner,et al.  The Simple Economics of Open Source , 2000 .

[9]  Hao Xu,et al.  Optimal Policy for Software Vulnerability Disclosure , 2008, Manag. Sci..

[10]  Rahul Telang,et al.  Market for Software Vulnerabilities? Think Again , 2005, Manag. Sci..

[11]  J. Szep,et al.  Games with incomplete information , 1985 .

[12]  Ethan M. Preston,et al.  Computer Security Publications: Information Economics, Shifting Liability and the First Amendment , 2002 .

[13]  Rahul Telang,et al.  Research Note - Sell First, Fix Later: Impact of Patching on Software Quality , 2006, Manag. Sci..

[14]  Chaim Fershtman,et al.  Internet Security, Vulnerability Disclosure and Software Provision , 2005, WEIS.