Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge

Authors:
Hasan Cavusoglu;Huseyin Cavusoglu;Srinivasan Raghunathan
Affiliations:
-;-;-
Venue:
IEEE Transactions on Software Engineering
Year:
2007

Citing 6
Cited 7

Windows of Vulnerability: A Case Study Analysis

Computer
How to Buy Better Testing

InfraSec '02 Proceedings of the International Conference on Infrastructure Security
A Trend Analysis of Exploitations

SP '01 Proceedings of the 2001 IEEE Symposium on Security and Privacy
Economic Analysis of the Market for Software Vulnerability Disclosure

HICSS '04 Proceedings of the Proceedings of the 37th Annual Hawaii International Conference on System Sciences (HICSS'04) - Track 7 - Volume 7
Agents of responsibility in software vulnerability processes

Ethics and Information Technology
Network Software Security and User Incentives

Management Science

Configuration of and Interaction Between Information Security Technologies: The Case of Firewalls and Intrusion Detection Systems

Information Systems Research
Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures

ACM Transactions on Management Information Systems (TMIS)
Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments

Management Science
The impact of malicious agents on the enterprise software industry

MIS Quarterly
Security versus convenience? An experimental study of user misperceptions of wireless internet service quality

Decision Support Systems
Are markets for vulnerabilities effective?

MIS Quarterly
Patch Release Behaviors of Software Vendors in Response to Vulnerabilities: An Empirical Analysis

Journal of Management Information Systems

Quantified Score

Hi-index	0.00

Visualization

Abstract

Security vulnerabilities in software are one of the primary reasons for security breaches, and an important challenge from knowledge management perspective is to determine how to manage the disclosure of knowledge about those vulnerabilities. The security community has proposed several disclosure mechanisms, such as full vendor, immediate public, and hybrid, and has debated about the merits and demerits of these alternatives. In this paper, we study how vulnerabilities should be disclosed to minimize the social loss. We find that the characteristics of the vulnerability (vulnerability risk before and after disclosure), cost structure of the software user population, and vendor's incentives to develop a patch determine the optimal (responsible) vulnerability disclosure. We show that, unlike some existing vulnerability disclosure mechanisms that fail to motivate the vendor to release its patch, responsible vulnerability disclosure policy always ensures the release of a patch. However, we find that this is not because of the threat of public disclosure, as argued by some security practitioners. In fact, not restricting the vendor with a time constraint can ensure the patch release. This result runs counter to the argument of some that setting a grace period always pushes the vendor to develop a patch. When the vulnerability affects multiple vendors, we show that the responsible disclosure policy cannot ensure that every vendor will release a patch. However, when the optimal policy does elicit a patch from each vendor, we show that the coordinator's grace period in the multiple vendor case falls between the grace periods that it would set individually for the vendors in the single vendor case. This implies that the coordinator does not necessarily increase the grace period to accommodate more vendors. We then extend our base model to analyze the impact of 1) early discovery and 2) an early warning system that provides privileged vulnerability knowledge to selected users before the release of a patch for the vulnerability on responsible vulnerability disclosure. We show that while early discovery always improves the social welfare, an early warning system does not necessarily improve the social welfare.