An Empirical Analysis of Productivity and Quality in Software Products
Management Science
Market for Software Vulnerabilities? Think Again
Management Science
Information Systems Frontiers
Network Software Security and User Incentives
Management Science
Research NoteSell First, Fix Later: Impact of Patching on Software Quality
Management Science
An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price
IEEE Transactions on Software Engineering
Optimal Policy for Software Vulnerability Disclosure
Management Science
Informational privacy, consent and the "control" of personal data
Information Security Tech. Report
ACM Transactions on Management Information Systems (TMIS)
A large scale exploratory analysis of software vulnerability life cycles
Proceedings of the 34th International Conference on Software Engineering
Self-healing multitier architectures using cascading rescue points
Proceedings of the 28th Annual Computer Security Applications Conference
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis
Journal of Management Information Systems
Estimating risk levels for vulnerability categories using CVSS
International Journal of Internet Technology and Secured Transactions
A novel approach to evaluate software vulnerability prioritization
Journal of Systems and Software
A model for quantitative security measurement and prioritisation of vulnerability mitigation
International Journal of Security and Networks
Hi-index | 0.00 |
A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.