Optimal Policy for software sulnerability disclosure

Management Science

Volumn 54, Issue 4, 2008, Pages 642-656

  Arora, Ashish ^a   Telang, Rahul ^a   Hao, Xu ^a  

^a CARNEGIE MELLON UNIVERSITY   (United States)

Author keywords

Disclosure policy; Economics of cybersecurity; Instant disclosure; Patch quality; Patching; Software vulnerability

Indexed keywords

DISCLOSURE POLICY; INSTANT DISCLOSURE; PATCH QUALITY; PATCHING; SOFTWARE VULNERABILITY;

ECONOMICS; OPTIMIZATION;

COMPUTER SOFTWARE SELECTION AND EVALUATION;

EID: 61849175198     PISSN: 00251909     EISSN: 15265501     Source Type: Journal    
DOI: 10.1287/mnsc.1070.0771     Document Type: Article

References (22)

1. Arbaugh, W. A., W. L. Fithen, J. McHugh. 2000. Windows of vulnerability: A case study analysis. Computer 33(12) 52-59.
2. Arora, A., J. P. Caulkins, R. Telang. 2005. Research note-sell first, fix later: Impact of patching on software quality. Management Sci. 52(3) 465-471.
3. Arora, A., A. Nandkumar, R. Telang. 2006a. Does information security attack frequency increase with vulnerability disclosure?-An empirical analysis. Inform. Systems Frontier 8 350-362.
4. Arora, A., C. Forman, A. Nandkumar, R. Telang. 2006b. Competitive and strategic effects in the timing of patch release. Fifth Workshop Econom. Inform. Security (WEIS 2006), Cambridge, UK.
5. Arora, A., R. Krishnan, R. Telang, Y. Yang. 2006c. How quickly do they patch? An empirical analysis of vendor response to disclosure policies. Internat. Conf. Inform. Systems (ICIS 2006), Milwaukee.
6. August, T., T. Tunca. 2005. Network software security and user incentives. Management Sci. 52(11) 1703-1720.
7. Beattie, S., S. Arnold, C. Cowan, P. Wagle, C. Wright. 2002. Timing the application of security patches for optimal uptime. Proc. LISA: Sixteenth Systems Admin. Conf. , USENIX Association, Berkeley, CA, 233-242.
8. Browne, H. K., W. A. Arbaugh, J. McHugh, W. L. Fithen. 2001. A trend analysis of exploitations. IEEE Sympos. Security Privacy, IEEE Computer Society, Washington, D.C., 214-229.
9. Cavusoglu, H., H. Cavusoglu, S. Raghunathan. 2004. How should we disclose software vulnerabilities? Proc.14th Workshop Inform.T ech systems (WITS'04), Washington, D.C.
10. Cavusoglu, H., H. Cavusoglu, J. Zhang. 2005. Security patch management: Share the burden or share the damage? Working paper, Tulane University, New Orleans.
11. Choi, J., C. Fershtman, N. Gandal. 2005. Internet security, vulnerability disclosure and software provision. Fourth Workshop Econom. Inform. Security WEIS 2005, Boston.
12. Clake, R. 2002. Black hat briefings USA. Accessed July 19, 2006, http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#RichardClarke.
13. CSI-FBI. 2005. CSI/FBI computer crime and security survey. Computer Security Institute.
14. Gordon, L. A., M. P. Loeb. 2002. The economics of information security investment. ACM Trans. Inform. System Security 5(4) 438-457.
15. InfoWorld.com. 2003. Vulnerability enables passport account hijackings. http://www.infoworld.com/article/03/06/30/HNpass-1.html.
16. Kannan, K., R. Telang. 2005. Market for software vulnerabilities? Think again. Management Sci. 51(5) 726-740.
17. National Strategy to Secure Cyberspace. 2003. Accessed August 24, 2005, http://www.whitehouse.gov/pcipb.
18. Nizovtsev, D., M. Thursby. 2007. To disclose or not? An analysis of software user behavior. Inform. Econom. Policy 19(1) 43-64.
19. Png, I., C. Q. Tang, S. Y. Wang. 2006. Information security: User precautions and hacker targeting. Fifth Workshop Econom. Inform. Security (WEIS 2006), Cambridge, UK.
20. Preston, E., J. Lofton. 2002. Computer security publications: Information economics, shifting liability and the first amendment. Whittier Law Rev. 24 71-142.
21. Rescorla, E. 2003. Security holes ⋯ who cares? Proc. 12th USENIX Security Conf., Washington, D.C., 75-90.
22. Symantec. 2003. Symantec Internet Security Threat Report. http://www.symantec.com.