Market for Software Vulnerabilities? Think Again

Management Science, Vol. 51, No. 5, 2005

Posted: 1 Mar 2006

See all articles by Karthik Natarajan Kannan

Karthik Natarajan Kannan

Purdue University

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Abstract

Software vulnerabilities and the lack of information security have been receiving a lot of media attention lately as attacks exploiting vulnerabilities cause significant economic damages. Since new software vulnerabilities are emerging everyday, disclosing information about them is a critical area of concern for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and users of the software. After verifying a reported vulnerability, and obtaining the remediation in the form of a patch from the software vendor, the infomediary - CERT - sends out a public advisory to inform software users about it. Of late, firms such as iDefense have been proposing a different market-based mechanism where the infomediary provides monetary rewards to identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its client base. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities.

The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active market-based mechanism is expected to perform better than a passive CERT type mechanism. Surprisingly, we find that a market mechanism underperforms when benign users voluntarily provide vulnerability information. More importantly, we find that monopolist always has an incentive to misuse the vulnerability information such that it almost always reduces the social welfare. We extend our analysis and provide a new mechanism named Federally-Funded Social Planner that always performs better.

Keywords: software vulnerability, market mechanism, information security, disclosure policy

Suggested Citation

Kannan, Karthik Natarajan and Telang, Rahul, Market for Software Vulnerabilities? Think Again. Management Science, Vol. 51, No. 5, 2005, Available at SSRN: https://ssrn.com/abstract=867025

Karthik Natarajan Kannan

Purdue University ( email )

Krannert School of Management
West Lafayette, IN 47907
United States

Rahul Telang (Contact Author)

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )

4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)

Do you have a job opening that you would like to promote on SSRN?

Paper statistics

Abstract Views
1,292
PlumX Metrics