Abstract

http://ssrn.com/abstract=867025
 
 

Citations



 


 



Market for Software Vulnerabilities? Think Again


Karthik Natarajan Kannan


Purdue University

Rahul Telang


Carnegie Mellon University - H. John Heinz III School of Public Policy and Management


Management Science, Vol. 51, No. 5, 2005

Abstract:     
Software vulnerabilities and the lack of information security have been receiving a lot of media attention lately as attacks exploiting vulnerabilities cause significant economic damages. Since new software vulnerabilities are emerging everyday, disclosing information about them is a critical area of concern for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and users of the software. After verifying a reported vulnerability, and obtaining the remediation in the form of a patch from the software vendor, the infomediary - CERT - sends out a public advisory to inform software users about it. Of late, firms such as iDefense have been proposing a different market-based mechanism where the infomediary provides monetary rewards to identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its client base. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities.

The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active market-based mechanism is expected to perform better than a passive CERT type mechanism. Surprisingly, we find that a market mechanism underperforms when benign users voluntarily provide vulnerability information. More importantly, we find that monopolist always has an incentive to misuse the vulnerability information such that it almost always reduces the social welfare. We extend our analysis and provide a new mechanism named Federally-Funded Social Planner that always performs better.

Keywords: software vulnerability, market mechanism, information security, disclosure policy

Accepted Paper Series


Not Available For Download

Date posted: March 1, 2006  

Suggested Citation

Kannan, Karthik Natarajan and Telang, Rahul, Market for Software Vulnerabilities? Think Again. Management Science, Vol. 51, No. 5, 2005. Available at SSRN: http://ssrn.com/abstract=867025

Contact Information

Karthik Natarajan Kannan
Purdue University ( email )
Krannert School of Management
West Lafayette, IN 47907
United States
Rahul Telang (Contact Author)
Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )
4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)
Feedback to SSRN


Paper statistics
Abstract Views: 470

© 2014 Social Science Electronic Publishing, Inc. All Rights Reserved.  FAQ   Terms of Use   Privacy Policy   Copyright   Contact Us
This page was processed by apollo1 in 1.203 seconds