Economic Analysis of the Market for software vulnerability disclosure

Oct 01, 2003

Abstract

Software vulnerability disclosure has been a critical area of concern
for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers who report vulnerability information and users of the software.
After verifying a reported vulnerability, and obtaining the remediation
in the form of a patch from the software vendor, the infomediary - CERT - sends out a public "advisory" to inform software users about it. In this traditional mechanism, reporting
vulnerabilities is voluntary with no explicit monetary gains to benign identifiers. Of late, firms such as iDefense have been proposing a different market-based mechanism. In this market-based mechanism, the infomediary rewards identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its clients who are users of this software. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active "market-based mechanism" is expected to perform better than a passive "CERT" type mechanism.
Surprisingly, we find that a monopolist has an incentive to "misuse" the
vulnerability information such that it almost always reduces the social welfare. Even
when the "misuse" of information is prevented, we observe that under certain conditions,
the market-based infomediary generates higher industry loss than a CERT-type one and vice-versa. We extend our paper to analyze some other mechanisms as well and observe that a Federally-Funded Social Planner always performs at least as well as other mechanisms.