Market Effectiveness for Software Vulnerability Disclosure: A Comparative Approach
Posted: 3 May 2016
Date Written: January 1, 2016
Abstract
There are numerous debates that software vulnerability services should be provided by which types of markets. Federal information sharing organizations (such as CERT) and market-based information sharing organizations (such as iDefense) act as infomediaries between benign identifiers who voluntarily report vulnerability information and software users. After verifying a reported vulnerability, a CERT-type infomediary contacts the vendor for the appropriate patch and waits for an appropriate time before disclosing the vulnerability to the public. A CERT-type infomediary provides vulnerability information for all users without a subscription fee and does not offer any monetary reward to identifiers. A market-based infomediary uses a disclosure procedure similar to CERT-type one.
However, the significant distinction is that it provides some countermeasures for its subscribers to protect them during disclosure time. A market-based infomediary also charges users a subscription fee and provides monetary rewards for the identifier.
The key question addressed in our paper is whether a market-based mechanism leads to better social outcomes. Our analysis demonstrates that a market-based mechanism always performs better than a CERT-type mechanism. This result is attributed to the protective services provided by market-based infomediaries for the subscribers. We plan to extend our model to analyze the oligopolistic and competitive markets of vulnerabilities.
Suggested Citation: Suggested Citation