An examination of private intermediaries' roles in software vulnerabilities disclosure

Authors:
Pu Li;H. Raghav Rao
Affiliations:
State University of New York, Buffalo, USA 14260;State University of New York, Buffalo, USA 14260
Venue:
Information Systems Frontiers
Year:
2007

Citing 0
Cited 3

Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures

ACM Transactions on Management Information Systems (TMIS)
Correlated failures, diversification, and information security risk management

MIS Quarterly
Are markets for vulnerabilities effective?

MIS Quarterly

Quantified Score

Hi-index	0.00

Visualization

Abstract

Software vulnerability disclosure has generated much interest and debate. Recently some private intermediaries have entered this market. This paper examines the effects of such private intermediaries on optimal timing of disclosure policy made by public intermediaries and vendors' reactions. Our analysis of private intermediaries' role suggests that public intermediary's optimal disclosure time does not change with private intermediary's participation. However, a vendor's patch time increases when the probability of information leakage is low, if not non-existent. In other words, private intermediaries' service decreases a vendor's willingness to deliver quick patches. Empirical evidence with 1493 vulnerability observations from CERT/CC and other 326 different vulnerability observations from iDefense provided support for our analytical results.