Market for Software Vulnerabilities? Think Again
Karthik Natarajan Kannan
Carnegie Mellon University - H. John Heinz III School of Public Policy and Management
Management Science, Vol. 51, No. 5, 2005
Software vulnerabilities and the lack of information security have been receiving a lot of media attention lately as attacks exploiting vulnerabilities cause significant economic damages. Since new software vulnerabilities are emerging everyday, disclosing information about them is a critical area of concern for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and users of the software. After verifying a reported vulnerability, and obtaining the remediation in the form of a patch from the software vendor, the infomediary - CERT - sends out a public advisory to inform software users about it. Of late, firms such as iDefense have been proposing a different market-based mechanism where the infomediary provides monetary rewards to identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its client base. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities.
The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active market-based mechanism is expected to perform better than a passive CERT type mechanism. Surprisingly, we find that a market mechanism underperforms when benign users voluntarily provide vulnerability information. More importantly, we find that monopolist always has an incentive to misuse the vulnerability information such that it almost always reduces the social welfare. We extend our analysis and provide a new mechanism named Federally-Funded Social Planner that always performs better.
Keywords: software vulnerability, market mechanism, information security, disclosure policy
Date posted: March 1, 2006