Network Security: Vulnerabilities and Disclosure Policy

27 Pages Posted: 30 Dec 2010

See all articles by Jay Pil Choi

Jay Pil Choi

Michigan State University - Department of Economics; CESifo (Center for Economic Studies and Ifo Institute)

Chaim Fershtman

Tel Aviv University - Eitan Berglas School of Economics; Tinbergen Institute

Neil Gandal

Berglas School of Economics, Tel Aviv University; Centre for Economic Policy Research (CEPR)

Multiple version iconThere are 2 versions of this paper

Date Written: December 24, 2010

Abstract

Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a bug bounty program.

Keywords: Internet security, software vulnerabilities, disclosure policy

JEL Classification: L100, L630

Suggested Citation

Choi, Jay Pil and Fershtman, Chaim and Gandal, Neil, Network Security: Vulnerabilities and Disclosure Policy (December 24, 2010). The Journal of Industrial Economics, Vol. 58, Issue 4, pp. 868-894, 2010. Available at SSRN: https://ssrn.com/abstract=1732394 or http://dx.doi.org/10.1111/j.1467-6451.2010.00435.x

Jay Pil Choi (Contact Author)

Michigan State University - Department of Economics ( email )

101 Marshall Hall
East Lansing, MI 48824
United States
517-353-7281 (Phone)

CESifo (Center for Economic Studies and Ifo Institute)

Poschinger Str. 5
Munich, DE-81679
Germany

HOME PAGE: http://www.CESifo.de

Chaim Fershtman

Tel Aviv University - Eitan Berglas School of Economics ( email )

P.O. Box 39040
Ramat Aviv, Tel Aviv, 69978
Israel
+972 3 640 7167 (Phone)
+972 3 640 9908 (Fax)

Tinbergen Institute ( email )

Burg. Oudlaan 50
Rotterdam, 3062 PA
Netherlands

Neil Gandal

Berglas School of Economics, Tel Aviv University ( email )

Tel Aviv University
Tel Aviv 69978
Israel
+972 3 640 9907 (Phone)
+972 3 640 9908 (Fax)

HOME PAGE: http://www.neilgandal.com/

Centre for Economic Policy Research (CEPR)

London
United Kingdom

Register to save articles to
your library

Register

Paper statistics

Downloads
1
Abstract Views
643
PlumX Metrics