A comparison of market approaches to software vulnerability disclosure

Authors:
Rainer Böhme
Affiliations:
Institute for System Architecture, Technische Universität Dresden, Dresden, Germany
Venue:
ETRICS'06 Proceedings of the 2006 international conference on Emerging Trends in Information and Communication Security
Year:
2006

Citing 9
Cited 6

Information rules: a strategic guide to the network economy

Information rules: a strategic guide to the network economy
A framework for using insurance for cyber-risk management

Communications of the ACM
Assessing the Risk in E-commerce

HICSS '02 Proceedings of the 35th Annual Hawaii International Conference on System Sciences (HICSS'02)-Volume 7 - Volume 7
Two Views on Security Software Liability: Let the Legal System Decide

IEEE Security and Privacy
The economic cost of publicly announced information security breaches: empirical evidence from the stock market

Journal of Computer Security - IFIP 2000
Hacking the Business Climate for Network Security

Computer
Computer security strength and risk: a quantitative approach

Computer security strength and risk: a quantitative approach
The Effect of Internet Security Breach Announcements on Market Value: Capital Market Reactions for Breached Firms and Internet Security Developers

International Journal of Electronic Commerce
Botnet tracking: exploring a root-cause methodology to prevent distributed denial-of-service attacks

ESORICS'05 Proceedings of the 10th European conference on Research in Computer Security

Information security economics - and beyond

CRYPTO'07 Proceedings of the 27th annual international cryptology conference on Advances in cryptology
References

Dependability metrics
Security of economics information

AIKED'10 Proceedings of the 9th WSEAS international conference on Artificial intelligence, knowledge engineering and data bases
Security metrics and security investment models

IWSEC'10 Proceedings of the 5th international conference on Advances in information and computer security
A move in the security measurement stalemate: elo-style ratings to quantify vulnerability

Proceedings of the 2012 workshop on New security paradigms
Markets for zero-day exploits: ethics and implications

Proceedings of the 2013 workshop on New security paradigms workshop

Quantified Score

Hi-index	0.00

Visualization

Abstract

Practical computer (in)security is largely driven by the existence of and knowledge about vulnerabilities, which can be exploited to breach security mechanisms. Although the discussion on details of responsible vulnerability disclosure is controversial, there is a sort of consensus that better information sharing is socially beneficial. In the recent years we observe the emerging of “vulnerability markets” as means to stimulate exchange of information. However, this term subsumes a broad range of different concepts, which are prone to confusion. This paper provides a first attempt to structure the field by (1) proposing a terminology for distinct concepts and (2) defining criteria to allow for a better comparability between different approaches. An application of this framework on four market types shows notable differences between the approaches.