Market Effectiveness for Software Vulnerability Disclosure: A Comparative Approach

Posted: 3 May 2016

See all articles by Marzieh Yaghini

Marzieh Yaghini

Independent

Masoud Talebian

Graduate School of Management and Economics, Sharif University of Technology ; University of Newcastle (Australia)

Date Written: January 1, 2016

Abstract

There are numerous debates that software vulnerability services should be provided by which types of markets. Federal information sharing organizations (such as CERT) and market-based information sharing organizations (such as iDefense) act as infomediaries between benign identifiers who voluntarily report vulnerability information and software users. After verifying a reported vulnerability, a CERT-type infomediary contacts the vendor for the appropriate patch and waits for an appropriate time before disclosing the vulnerability to the public. A CERT-type infomediary provides vulnerability information for all users without a subscription fee and does not offer any monetary reward to identifiers. A market-based infomediary uses a disclosure procedure similar to CERT-type one.

However, the significant distinction is that it provides some countermeasures for its subscribers to protect them during disclosure time. A market-based infomediary also charges users a subscription fee and provides monetary rewards for the identifier.

The key question addressed in our paper is whether a market-based mechanism leads to better social outcomes. Our analysis demonstrates that a market-based mechanism always performs better than a CERT-type mechanism. This result is attributed to the protective services provided by market-based infomediaries for the subscribers. We plan to extend our model to analyze the oligopolistic and competitive markets of vulnerabilities.

Suggested Citation

Yaghini, Marzieh and Talebian, Masoud, Market Effectiveness for Software Vulnerability Disclosure: A Comparative Approach (January 1, 2016). Available at SSRN: https://ssrn.com/abstract=2709946

Masoud Talebian

Graduate School of Management and Economics, Sharif University of Technology ( email )

Tehran
Iran

University of Newcastle (Australia) ( email )

University Drive
Callaghan, NSW 2308
Australia

Do you have negative results from your research you’d like to share?

Paper statistics

Abstract Views
372
PlumX Metrics