A comparison of market approaches to software vulnerability disclosure

Lecture Notes in Computer Science (including subseries Lecture Notes in Artificial Intelligence and Lecture Notes in Bioinformatics)

Volumn 3995 LNCS, Issue , 2006, Pages 298-311

  Böhme, Rainer ^a  

^a DRESDEN UNIVERSITY OF TECHNOLOGY   (Germany)

Author keywords

[No Author keywords available]

Indexed keywords

COMPUTER SOFTWARE; DATA HANDLING; DATA TRANSFER; INFORMATION TECHNOLOGY; SECURITY OF DATA; SECURITY SYSTEMS;

MARKETS; SECURITY MECHANISMS; SOFTWARE VULNERABILITY; VULNERABILITY DISCLOSURE;

SOFTWARE ENGINEERING;

EID: 33746613622     PISSN: 03029743     EISSN: 16113349     Source Type: Book Series    
DOI: 10.1007/11766155_21     Document Type: Conference Paper

References (33)

1. Arora, A., Telaiig, R., Xu, H.: Optimal policy for software vulnerability disclosure. In: Workshop on the Economics of Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004) http://www.dtc.umn.edu/weis2004/xu.pdf.
2. Arora, A., Krishnan, R., Telang, R., Yang, Y.: An empirical analysis of vendor response to software vulnerability disclosure. In: Workshop on Information Systems and Economics (WISE), University of California, Irvine, CA (2005)
3. Nizovtsev, D., Thursby, M.: Economic incentives to disclose software vulnerabilities. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005) http://infosecon.net/workshop/pdf/20.pdf.
4. Rescorla, E.: Is finding security holes a good idea? In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004) http://www.dtc.umn.edu/weis2004/rescorla.pdf.
5. Anderson, R.J.: Why information security is hard - An economic perspective (2001) http://www.cl.cam.ac.uk/~rja14/econsec.html.
6. Akerlof, G.A.: The market for 'lemons': Quality, uncertainty and the market mechanism. Quarterly Journal of Economics 84 (1970) 488-500
7. Shapiro, C., Varian, H.R.: Information Rules. A Strategic Guide to the Network Economy. Harvard Business School Press (1998)
8. Hardin, G.: The tragedy of the commons. Science 162 (1968) 1243-1248
9. Freiling, F., Holz, T., Wicherski, G.: Botnet tracking: Exploring a root-cause methodology to prevent distributed denial-of-service attacks. In S. de Capitani di Vimercati et al., ed.: Proc. of ESORICS. LNCS 3679, Berlin Heidelberg, Springer Verlag (2005) 319-335
10. Varian, H.R.: System reliability and free riding. In: Workshop on Economics and Information Security (WEIS), Berkeley, CA (2002) http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/.
11. Varian, H.R.: Managing online security risks. New York Times (2000) http://www.nytimes.com/library/financial/columns/060100econ-scene.html.
12. Ryan, D.J., Heckmann, C.: Two views on security software liability. IEEE Security & Privacy 1 (2003) 70-75
13. Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, MA (2004)
14. Camp, J.L., Wolfram, C.: Pricing security. In: Proc. of the CERT Information Survivability Workshop, Boston, MA (2000) 31-39 http://www.cert.org/research/isw/isw2000/papers/54.pdf.
15. Downs, A.: An Economic Theory of Democracy. Harper and Brothers, New York (1957)
16. Stigler, G.J.: The Citizen and the State: Essays on Regulation. University Press, Chicago (1975)
17. Ozment, A.: Bug auctions: Vulnerability markets reconsidered. In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004) http://www.dtc.umn.edu/weis2004/ozment.pdf.
18. Böhme, R.: Vulnerability markets - What is the economic value of a zero-day exploit? In: Proc. of 22C3: Private Investigations, Berlin, Germany (2005) https://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005.22C3. VulnerabilityMarkets.pdf.
19. Kannan, K., Telang, R.: An economic analysis of markets for software vulnerabilities. In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004) http://www.dtc.umn.edu/weis2004/kannan-telang.pdf.
20. Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)
21. Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyberrisk management. Communications of the ACM 46 (2003) 81-85
22. Kesan, J.P., Majuca, R.P., Yurcik, W.J.: The economic case for cyberinsurance. In: Workshop on the Economies of Information Security (WEIS), Harvard University, Cambridge, MA (2005) http://infosecon.net/workshop/pdf/42.pdf.
23. Schneier, B.: Hacking the business climate for network security. IEEE Computer (2004) 87-89
24. Yurcik, W., Doss, D.: Cyberinsurance: A market solution to the internet security market failure. In: Workshop on Economics and Information Security (WEIS), Berkeley, CA (2002) http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/.
25. Böhme, R.: Cyber-insurance revisited. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005) http://infosecon.net/workshop/pdf/15.pdf.
26. Ettredge, M., Richardson, V.J.: Assessing the risk in e-commerce. In Sprague, R.H., ed.: Proc. of the 35th Hawaii International Conference on System Sciences, Los Alamitos, CA, IEEE Press (2002)
27. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11 (2003) 431-448
28. Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9 (2004) 69-104
29. Telang, R., Wattal, S.: Impact of software vulnerability announcements on the market value of software vendors - An empirical investigation. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005) http://infosecon.net/workshop/pdf/telang_wattal.pdf.
30. Kahneman, D., Tversky, A.: Choices, Values, and Frames. Cambridge University Press (2000)
31. Geer et al., D.: CyberInsecurity - The cost of monopoly (2003) http://www.ccianet.org/papers/cyberinsecurity.pdf.
32. Chen, P.Y., Kataria, G., Krishnan, R.: Software diversity for information security. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005) http://infosecon.net/workshop/pdf/47.pdf.
33. Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005) http://infosecon.net/workshop/pdf/10.pdf.