Market for Software Vulnerabilities? Think Again

Posted: 9 Dec 2003

See all articles by Karthik Natarajan Kannan

Karthik Natarajan Kannan

Purdue University

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Hao Xu

Carnegie Mellon University - School of Computer Science

Date Written: November 2003

Abstract

Software vulnerabilities and the lack of information security have been receiving a lot of media attention lately as attacks exploiting vulnerabilities cause significant economic damages. Since new software vulnerabilities are emerging everyday, disclosing information about them is a critical area of concern for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and users of the software. After verifying a reported vulnerability, and obtaining the remediation in the form of a patch from the software vendor, the infomediary - CERT - sends out a public advisory to inform software users about it. Of late, firms such as iDefense have been proposing a different market-based mechanism where the infomediary provides monetary rewards to identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its client base. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities.

The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active market-based mechanism is expected to perform better than a passive CERT type mechanism. Surprisingly, we find that a market mechanism underperforms when benign users voluntarily provide vulnerability information. More importantly, we find that monopolist always has an incentive to misuse the vulnerability information such that it almost always reduces the social welfare. We extend our analysis and provide a new meachnism named Federally-Funded Social Planner that always performs better.

Keywords: software vulnerability, market mechanism, information security, disclosure policy

Suggested Citation

Kannan, Karthik Natarajan and Telang, Rahul and Xu, Hao, Market for Software Vulnerabilities? Think Again (November 2003). Available at SSRN: https://ssrn.com/abstract=473321

Karthik Natarajan Kannan

Purdue University ( email )

Krannert School of Management
West Lafayette, IN 47907
United States

Rahul Telang (Contact Author)

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)

Hao Xu

Carnegie Mellon University - School of Computer Science ( email )

5000 Forbes Avenue
Pittsburgh, PA 15213
United States

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
1,985
PlumX Metrics