Market for Software Vulnerabilities? Think Again

Karthik Natarajan Kannan

Purdue University

Rahul Telang

Carnegie Mellon University - H. John Heinz III School of Public Policy and Management

Management Science, Vol. 51, No. 5, 2005

Software vulnerabilities and the lack of information security have been receiving a lot of media attention lately as attacks exploiting vulnerabilities cause significant economic damages. Since new software vulnerabilities are emerging everyday, disclosing information about them is a critical area of concern for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and users of the software. After verifying a reported vulnerability, and obtaining the remediation in the form of a patch from the software vendor, the infomediary - CERT - sends out a public advisory to inform software users about it. Of late, firms such as iDefense have been proposing a different market-based mechanism where the infomediary provides monetary rewards to identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its client base. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities.

The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active market-based mechanism is expected to perform better than a passive CERT type mechanism. Surprisingly, we find that a market mechanism underperforms when benign users voluntarily provide vulnerability information. More importantly, we find that monopolist always has an incentive to misuse the vulnerability information such that it almost always reduces the social welfare. We extend our analysis and provide a new mechanism named Federally-Funded Social Planner that always performs better.

Keywords: software vulnerability, market mechanism, information security, disclosure policy

Not Available For Download

Date posted: March 1, 2006  

Suggested Citation

Kannan, Karthik Natarajan and Telang, Rahul, Market for Software Vulnerabilities? Think Again. Management Science, Vol. 51, No. 5, 2005. Available at SSRN: https://ssrn.com/abstract=867025

Contact Information

Karthik Natarajan Kannan
Purdue University ( email )
Krannert School of Management
West Lafayette, IN 47907
United States
Rahul Telang (Contact Author)
Carnegie Mellon University - H. John Heinz III School of Public Policy and Management ( email )
4800 Forbes Ave
Pittsburgh, PA 15213-3890
United States
412-268-1155 (Phone)
Feedback to SSRN

Paper statistics
Abstract Views: 713