Economic Analysis of the Market for software vulnerability disclosure

Page Content

Karthik Kannan - Krannert School of Management, Purdue University

Oct 01, 2003

RealMedia Icon RealVideo

Abstract

Software vulnerability disclosure has been a critical area of concern
for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers who report vulnerability information and users of the software.
After verifying a reported vulnerability, and obtaining the remediation
in the form of a patch from the software vendor, the infomediary - CERT - sends out a public "advisory" to inform software users about it. In this traditional mechanism, reporting
vulnerabilities is voluntary with no explicit monetary gains to benign identifiers. Of late, firms such as iDefense have been proposing a different market-based mechanism. In this market-based mechanism, the infomediary rewards identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its clients who are users of this software. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active "market-based mechanism" is expected to perform better than a passive "CERT" type mechanism.
Surprisingly, we find that a monopolist has an incentive to "misuse" the
vulnerability information such that it almost always reduces the social welfare. Even
when the "misuse" of information is prevented, we observe that under certain conditions,
the market-based infomediary generates higher industry loss than a CERT-type one and vice-versa. We extend our paper to analyze some other mechanisms as well and observe that a Federally-Funded Social Planner always performs at least as well as other mechanisms.

About the Speaker

Karthik Kannan is an Assistant Professor of Information Systems at the Krannert School of Management, Purdue University. His research interests span the areas of information security electronic markets, and peer-to-peer computing. His research on \"On Analyzing interactions in a software-agent based marketplace\" won the best paper award in WITS 2000. He is a member of ACM and INFORMS.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52, West Lafayette Campus. More information...

© 1999-2013 Purdue University. All rights reserved.

Use/Reuse Guidelines

CERIAS Seminar materials are intended for educational, non-commercial use only and any or all commercial use is prohibited. Any use must attribute "The CERIAS Seminar at Purdue University." Opinions expressed in the recordings are not necessarily representative of the views of CERIAS or of Purdue University.