Skip to main content
SpringerLink
Log in

An examination of private intermediaries’ roles in software vulnerabilities disclosure

  • Published:
Information Systems Frontiers Aims and scope Submit manuscript

Abstract

Software vulnerability disclosure has generated much interest and debate. Recently some private intermediaries have entered this market. This paper examines the effects of such private intermediaries on optimal timing of disclosure policy made by public intermediaries and vendors’ reactions. Our analysis of private intermediaries’ role suggests that public intermediary’s optimal disclosure time does not change with private intermediary’s participation. However, a vendor’s patch time increases when the probability of information leakage is low, if not non-existent. In other words, private intermediaries’ service decreases a vendor’s willingness to deliver quick patches. Empirical evidence with 1493 vulnerability observations from CERT/CC and other 326 different vulnerability observations from iDefense provided support for our analytical results.

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Similar content being viewed by others

References

  • Anderson, R., & Moore, T. (2006). The economics of information security: A survey and open questions. Science, 314(5799), 610–613.

    Article  Google Scholar 

  • Arbaugh, W. A., Fithen, W. L., & McHugh, J. (2000). Windows of vulnerability: A case study analysis. IEEE Computer, 33, 52–59.

    Google Scholar 

  • Arora, A., Caulkins, J. P., & Telang, R. (2003). Provision of software quality in the presence of patching technology. Carnegie Mellon University, Working Paper, February.

  • Arora, A., Krishnan, R., Nandkumar, A., Telang, R., & Yang, Y. (2004a). Impact of vulnerability disclosure and patch availability—An empirical analysis. Workshop on Economics and Information Security, May 2004, Minneapolis, MN, USA.

  • Arora, A., Krishnan, R., Telang, R., & Yang, Y. (2005). An empirical analysis of vendor response to disclosure policy. The Fourth Workshop on the Economics of Information Security.

  • Arora, A., Telang, R., & Hao, X. (2004b). Optimal policy for software vulnerability disclosure. Carnegie Mellon Working Paper.

  • Campbell, K., Gordon, L., Loeb, M. P., & Zhou, L. (2003). The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security, 11(3), 431–448.

    Google Scholar 

  • Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2004a). Analysis of software vulnerability disclosure policies. CORS/INFORMS Joint International Meeting, Banff, Alberta, Canada.

  • Cavusoglu, H., Cavusoglu, H., & Raghunathan, S. (2005). Emerging issues in responsible vulnerability disclosure. The Fourth Workshop on the Economics of Information Security.

  • Cavusoglu, H., Mishra, B., & Raghunathan, S. (2004b). The effect of internet security breach announcements on market value: Capital market reactions for breached firms and Internet security developers. International Journal of Electronic Commerce, 9(1), 69.

    Google Scholar 

  • Choi, J. P., Fershtman, C., & Gandal, N. (2005). Internet security, vulnerability disclosure, and software provision. The Fourth Workshop on the Economics of Information Security.

  • Gordon, L. A., & Loeb, M. P. (2002). The economics of information security investment. ACM Transactions on Information and System Security, 5, 438–457.

    Article  Google Scholar 

  • IDefense (2005). Service overview. http://www.idefense.com.

  • Kannan, K., & Telang, R. (2005). Market for software vulnerabilities? Think again. Management Science, 51(5), 726.

    Article  Google Scholar 

  • Nizovtsev, D., & Thursby, M. (2005). Economic analysis of incentive to disclose software vulnerabilities. The Forth Workshop on the Economics of Information Security.

  • Ozment, A. (2004). Bug auctions: Vulnerability markets reconsidered. http://www.dtc.umn.edu/weis2004/ozment.pdf.

  • Schechter, S. (2004). Computer security, strength and risk: A quantitative approach. http://www.eecs.harvard.edu/~stuart/papers/thesis.pdf.

  • Schechter, S., & Smith, M. D. (2003). How much security is enough to stop a thief? The Seventh International Financial Cryptography Conference, Gosier, Guadeloupe, January.

  • Symantec (2003). Symantec Internet security threat report. http://www.symantec.com.

  • Telang, R., & Wattal, S. (2005). Impact of software vulnerability announcements on the market value of software vendors—an empirical investigation. The Fourth Workshop on the Economics of Information Security.

Download references

Author information

Authors and Affiliations

  1. State University of New York, Buffalo, NY, 14260, USA

    Pu Li & H. Raghav Rao

Authors
  1. Pu Li
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. H. Raghav Rao
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to H. Raghav Rao.

Rights and permissions

Reprints and permissions

About this article

Cite this article

Li, P., Rao, H.R. An examination of private intermediaries’ roles in software vulnerabilities disclosure. Inf Syst Front 9, 531–539 (2007). https://doi.org/10.1007/s10796-007-9047-2

Download citation

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s10796-007-9047-2

Keywords

Search

Navigation