PDF icon Download This Paper Open PDF in Browser
Add Paper to My Library
Permalink
Using the URL or DOI link below will ensure access to this page indefinitely
Copy URL
Copy URL

An Empirical Analysis of Vendor Response to Software Vulnerability Disclosure

32 Pages Posted: 29 Aug 2005

See all articles by Ashish Arora

Ashish Arora

Duke University - Fuqua School of Business; National Bureau of Economics Research; Duke Innovation & Entrepreneurship Initiative

Ramayya Krishnan

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Yubao Yang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Date Written: August 2005

Abstract

Software vulnerability disclosure refers to the publication of vulnerability information before a patch to address the vulnerability has been issued by the software vendor. It has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. Does vulnerability disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to disclosure. In particular, instant disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the vulnerability analysis by CERT/CC.

Keywords: Security vulnerability, disclosure policy, patching speed, open source, hazard functions

Suggested Citation

Arora, Ashish and Krishnan, Ramayya and Telang, Rahul and Yang, Yubao, An Empirical Analysis of Vendor Response to Software Vulnerability Disclosure (August 2005). Available at SSRN: https://ssrn.com/abstract=786128 or http://dx.doi.org/10.2139/ssrn.786128

Ashish Arora

Duke University - Fuqua School of Business ( email )

Box 90120
Durham, NC 27708-0120
United States

National Bureau of Economics Research

1050 Massachusetts Avenue
Cambridge, MA 02138
United States

Duke Innovation & Entrepreneurship Initiative ( email )

215 Morris St., Suite 300
Durham, NC 27701
United States

Ramayya Krishnan

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States

Rahul Telang (Contact Author)

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)

Yubao Yang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

Pittsburgh, PA 15213-3890
United States

PDF icon Download This Paper Open PDF in Browser

Register to save articles to
your library

Register

Paper statistics

Downloads
179
Abstract Views
1,476
rank
169,273
25 References
PlumX Metrics

Related eJournals

  • Cyberspace Law eJournal

    Follow

    Cyberspace Law eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    1,039
    PAPERS
    9,260
    This Journal is curated by:
    Peter Swire at Georgia Institute of Technology - Scheller College of Business, Jonathan L. Zittrain at Harvard Law School and Harvard Kennedy School of Government

  • IO: Productivity, Innovation & Technology eJournal

    Follow

    IO: Productivity, Innovation & Technology eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    655
    PAPERS
    24,300

  • Innovation & Management Science eJournal

    Follow

    Innovation & Management Science eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    263
    PAPERS
    5,921

  • Innovation Law & Policy eJournal

    Follow

    Innovation Law & Policy eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    253
    PAPERS
    24,481

  • Information Systems & Economics eJournal

    Follow

    Information Systems & Economics eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    99
    PAPERS
    12,008
    This Journal is curated by:
    Erik Brynjolfsson at Massachusetts Institute of Technology (MIT) - Sloan School of Management

  • Information Technology & Systems eJournal

    Follow

    Information Technology & Systems eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    88
    PAPERS
    3,831
    This Journal is curated by:
    Carson Woo at University of British Columbia (UBC) - Sauder School of Business

  • Managerial Marketing eJournal

    Follow

    Managerial Marketing eJournal

    Subscribe to this fee journal for more curated articles on this topic

    FOLLOWERS
    59
    PAPERS
    4,033

Recommended Papers