An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure

Authors:
Ashish Arora;Ramayya Krishnan;Rahul Telang;Yubao Yang
Affiliations:
H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213;H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213;H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213;H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
Venue:
Information Systems Research
Year:
2010

Citing 9
Cited 10

Software Development Practices, Software Complexity, and Software Maintenance Performance: a Field Study

Management Science
Windows of Vulnerability: A Case Study Analysis

Computer
An Empirical Analysis of Productivity and Quality in Software Products

Management Science
Market for Software Vulnerabilities? Think Again

Management Science
Does information security attack frequency increase with vulnerability disclosure? An empirical analysis

Information Systems Frontiers
Network Software Security and User Incentives

Management Science
Research NoteSell First, Fix Later: Impact of Patching on Software Quality

Management Science
An Empirical Analysis of the Impact of Software Vulnerability Announcements on Firm Stock Price

IEEE Transactions on Software Engineering
Optimal Policy for Software Vulnerability Disclosure

Management Science

Informational privacy, consent and the "control" of personal data

Information Security Tech. Report
Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures

ACM Transactions on Management Information Systems (TMIS)
Correlated failures, diversification, and information security risk management

MIS Quarterly
Predicting stock market returns from malicious attacks: A comparative analysis of vector autoregression and time-delayed neural networks

Decision Support Systems
A large scale exploratory analysis of software vulnerability life cycles

Proceedings of the 34th International Conference on Software Engineering
Self-healing multitier architectures using cascading rescue points

Proceedings of the 28th Annual Computer Security Applications Conference
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis

Journal of Management Information Systems
Estimating risk levels for vulnerability categories using CVSS

International Journal of Internet Technology and Secured Transactions
A novel approach to evaluate software vulnerability prioritization

Journal of Systems and Software
A model for quantitative security measurement and prioritisation of vulnerability mitigation

International Journal of Security and Networks

Quantified Score

Hi-index	0.00

Visualization

Abstract

A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.