Abstract
Software vulnerability disclosure has generated much interest and debate. Recently some private intermediaries have entered this market. This paper examines the effects of such private intermediaries on optimal timing of disclosure policy made by public intermediaries and vendors’ reactions. Our analysis of private intermediaries’ role suggests that public intermediary’s optimal disclosure time does not change with private intermediary’s participation. However, a vendor’s patch time increases when the probability of information leakage is low, if not non-existent. In other words, private intermediaries’ service decreases a vendor’s willingness to deliver quick patches. Empirical evidence with 1493 vulnerability observations from CERT/CC and other 326 different vulnerability observations from iDefense provided support for our analytical results.
Article PDF
Similar content being viewed by others
Avoid common mistakes on your manuscript.
References
Anderson, R., & Moore, T. (2006). The economics of information security: A survey and open questions. Science, 314(5799), 610–613.
Arbaugh, W. A., Fithen, W. L., & McHugh, J. (2000). Windows of vulnerability: A case study analysis. IEEE Computer, 33, 52–59.
Arora, A., Caulkins, J. P., & Telang, R. (2003). Provision of software quality in the presence of patching technology. Carnegie Mellon University, Working Paper, February.
Arora, A., Krishnan, R., Nandkumar, A., Telang, R., & Yang, Y. (2004a). Impact of vulnerability disclosure and patch availability—An empirical analysis. Workshop on Economics and Information Security, May 2004, Minneapolis, MN, USA.
Arora, A., Krishnan, R., Telang, R., & Yang, Y. (2005). An empirical analysis of vendor response to disclosure policy. The Fourth Workshop on the Economics of Information Security.
Arora, A., Telang, R., & Hao, X. (2004b). Optimal policy for software vulnerability disclosure. Carnegie Mellon Working Paper.
Campbell, K., Gordon, L., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448.
Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2004a). Analysis of software vulnerability disclosure policies. CORS/INFORMS Joint International Meeting, Banff, Alberta, Canada.
Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2005). Emerging issues in responsible vulnerability disclosure. The Fourth Workshop on the Economics of Information Security.
Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004b). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69.
Choi, J. P., Fershtman, C., & Gandal, N. (2005). Internet security, vulnerability disclosure, and software provision. The Fourth Workshop on the Economics of Information Security.
Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5, 438–457.
IDefense (2005). Service overview. http://www.idefense.com.
Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726.
Nizovtsev, D., & Thursby, M. (2005). Economic analysis of incentive to disclose software vulnerabilities. The Forth Workshop on the Economics of Information Security.
Ozment, A. (2004). Bug auctions: Vulnerability markets reconsidered. http://www.dtc.umn.edu/weis2004/ozment.pdf.
Schechter, S. (2004). Computer security, strength and risk: A quantitative approach. http://www.eecs.harvard.edu/~stuart/papers/thesis.pdf.
Schechter, S., & Smith, M. D. (2003). How much security is enough to stop a thief? The Seventh International Financial Cryptography Conference, Gosier, Guadeloupe, January.
Symantec (2003). Symantec Internet security threat report. http://www.symantec.com.
Telang, R., & Wattal, S. (2005). Impact of software vulnerability announcements on the market value of software vendors—an empirical investigation. The Fourth Workshop on the Economics of Information Security.
Author information
Authors and Affiliations
Corresponding author
Rights and permissions
About this article
Cite this article
Li, P., Rao, H.R. An examination of private intermediaries’ roles in software vulnerabilities disclosure. Inf Syst Front 9, 531–539 (2007). https://doi.org/10.1007/s10796-007-9047-2
Published:
Issue Date:
DOI: https://doi.org/10.1007/s10796-007-9047-2