Optimal Policy for Software Vulnerability Disclosure

Software vulnerabilities represent a serious threat: most cyber-attacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure – white-hats who discover vulnerabilities, security mailing lists and CERT follow different ad-hoc policies. This paper develops a framework to analyze the optimal timing of disclosure policy (time given to vendor to patch the vulnerability). Disclosure policy indirectly affects how the speed and quality of the patch that a vendor develops, and thus CERT and similar bodies acting in the public interest can use it to influence behavior of vendors and reduce social cost. We formulate a game-theoretic model involving a social planner who sets disclosure policy and a vendor who decides on patching. We show that vendors always choose to patch later than a socially optimal disclosure time. The social planner can optimally shrink the time window of disclosure to push vendors to deliver patch in a timely manner. We extend the basic model in a number of directions, most importantly, allowing for the proportion of users implementing patches to depend upon the quality of the patch, which is itself a choice variable for the vendor. Our paper provides a decision framework for understanding how disclosure timing may affect vendor’s decision and in turn, what should a policy maker do.