Optimal Policy for Software Vulnerability Disclosure

Authors:
Ashish Arora;Rahul Telang;Hao Xu
Affiliations:
H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213;H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213;H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
Venue:
Management Science
Year:
2008

Citing 0
Cited 11

An Economic Analysis of the Software Market with a Risk-Sharing Mechanism

International Journal of Electronic Commerce
An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Information Systems Research
Would a 'cyber warrior' protect us: exploring trade-offs between attack and defense of information systems

Proceedings of the 2010 workshop on New security paradigms
Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments

Management Science
The impact of malicious agents on the enterprise software industry

MIS Quarterly
When Hackers Talk: Managing Information Security Under Variable Attack Rates and Knowledge Dissemination

Information Systems Research
Software, vendors and reputation: an analysis of the dilemma in creating secure software

INTRUST'10 Proceedings of the Second international conference on Trusted Systems
Security versus convenience? An experimental study of user misperceptions of wireless internet service quality

Decision Support Systems
Are markets for vulnerabilities effective?

MIS Quarterly
Revisiting the incentive to tolerate illegal distribution of software products

Decision Support Systems
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis

Journal of Management Information Systems

Quantified Score

Hi-index	0.01

Visualization

Abstract

Software vulnerabilities represent a serious threat to cybersecurity, most cyberattacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus, CERT/CC and similar bodies acting in the public interest can use disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of disclosure. We formulate a model involving a social planner who sets the disclosure policy and a vendor who decides on the patch release. We show that the vendor typically releases the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly, and sometimes the patch release time coincides with disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always result in a better patch quality. Another extension allows for some fraction of users to use “work-arounds.” We show that the possibility of work-arounds can provide the social planner with more leverage, and hence the social planner shrinks the protected period. Interestingly, the possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who are able to use the work-arounds on the users who are not.