File(s) stored somewhere else
Please note: Linked content is NOT stored on Carnegie Mellon University and we can't guarantee its availability, quality, security or accept any liability.
Optimal Policy for Software Vulnerability Disclosure
journal contributionposted on 2005-01-01, 00:00 authored by Ashish Arora, Rahul TelangRahul Telang, Hao Xu
Software vulnerabilities represent a serious threat: most cyber-attacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure – white-hats who discover vulnerabilities, security mailing lists and CERT follow different ad-hoc policies. This paper develops a framework to analyze the optimal timing of disclosure policy (time given to vendor to patch the vulnerability). Disclosure policy indirectly affects how the speed and quality of the patch that a vendor develops, and thus CERT and similar bodies acting in the public interest can use it to influence behavior of vendors and reduce social cost. We formulate a game-theoretic model involving a social planner who sets disclosure policy and a vendor who decides on patching. We show that vendors always choose to patch later than a socially optimal disclosure time. The social planner can optimally shrink the time window of disclosure to push vendors to deliver patch in a timely manner. We extend the basic model in a number of directions, most importantly, allowing for the proportion of users implementing patches to depend upon the quality of the patch, which is itself a choice variable for the vendor. Our paper provides a decision framework for understanding how disclosure timing may affect vendor’s decision and in turn, what should a policy maker do.