CERIAS - Center for Education and Research in Information Assurance and Security

Skip Navigation
Purdue University - Discovery Park
Center for Education and Research in Information Assurance and Security

Economic Analysis of the Market for software vulnerability disclosure

Karthik Kannan - Krannert School of Management, Purdue University

Oct 01, 2003


Software vulnerability disclosure has been a critical area of concern
for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers who report vulnerability information and users of the software.
After verifying a reported vulnerability, and obtaining the remediation
in the form of a patch from the software vendor, the infomediary - CERT - sends out a public "advisory" to inform software users about it. In this traditional mechanism, reporting
vulnerabilities is voluntary with no explicit monetary gains to benign identifiers. Of late, firms such as iDefense have been proposing a different market-based mechanism. In this market-based mechanism, the infomediary rewards identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its clients who are users of this software. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active "market-based mechanism" is expected to perform better than a passive "CERT" type mechanism.
Surprisingly, we find that a monopolist has an incentive to "misuse" the
vulnerability information such that it almost always reduces the social welfare. Even
when the "misuse" of information is prevented, we observe that under certain conditions,
the market-based infomediary generates higher industry loss than a CERT-type one and vice-versa. We extend our paper to analyze some other mechanisms as well and observe that a Federally-Funded Social Planner always performs at least as well as other mechanisms.

About the Speaker

Karthik Kannan is an Assistant Professor of Information Systems at the Krannert School of Management, Purdue University. His research interests span the areas of information security electronic markets, and peer-to-peer computing. His research on \"On Analyzing interactions in a software-agent based marketplace\" won the best paper award in WITS 2000. He is a member of ACM and INFORMS.

Unless otherwise noted, the security seminar is held on Wednesdays at 4:30P.M. STEW G52 (Suite 050B), West Lafayette Campus. More information...


The views, opinions and assumptions expressed in these videos are those of the presenter and do not necessarily reflect the official policy or position of CERIAS or Purdue University. All content included in these videos, are the property of Purdue University, the presenter and/or the presenter’s organization, and protected by U.S. and international copyright laws. The collection, arrangement and assembly of all content in these videos and on the hosting website exclusive property of Purdue University. You may not copy, reproduce, distribute, publish, display, perform, modify, create derivative works, transmit, or in any other way exploit any part of copyrighted material without permission from CERIAS, Purdue University.