To Disclose or Not? An Analysis of Software User Behavior
32 Pages Posted: 2 May 2006
Date Written: April 30, 2006
Abstract
This paper addresses the ongoing debate over disclosing information about software vulnerabilities through an open public forum. Using a game-theoretic approach, we show that full public disclosure may be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full public disclosure of vulnerabilities is desirable from a social welfare standpoint. We analyze the effect of several vendor and product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare. We also examine models in which users may spend effort to develop a fix or threaten vendors to disclose after a grace period. We show that to the extent that users are able to develop fixes for discovered vulnerabilities without inordinate effort, welfare is further improved. This is more likely the more familiar users are with the details of software providing an argument for "open source" software.
Keywords: economics of information security, software vulnerabilities, vulnerability disclosure, patching
JEL Classification: A12, C72, D81, L15
Suggested Citation: Suggested Citation
Do you have negative results from your research you’d like to share?
Recommended Papers
-
Sell First, Fix Later: Impact of Patching on Software Quality
By Ashish Arora, Jonathan P. Caulkins, ...
-
Optimal Policy for Software Vulnerability Disclosure
By Ashish Arora, Rahul Telang, ...
-
Internet Security, Vulnerability Disclosure and Software Provision
By Jay Pil Choi and Chaim Fershtman