|
|
|
|
LEADER |
01000caa a22002652 4500 |
001 |
JST056227280 |
003 |
DE-627 |
005 |
20240622021204.0 |
007 |
cr uuu---uuuuu |
008 |
150324s2005 xx |||||o 00| ||eng c |
035 |
|
|
|a (DE-627)JST056227280
|
035 |
|
|
|a (JST)20110369
|
040 |
|
|
|a DE-627
|b ger
|c DE-627
|e rakwb
|
041 |
|
|
|a eng
|
100 |
1 |
|
|a Kannan, Karthik
|e verfasserin
|4 aut
|
245 |
1 |
0 |
|a Market for Software Vulnerabilities? Think Again
|
264 |
|
1 |
|c 2005
|
336 |
|
|
|a Text
|b txt
|2 rdacontent
|
337 |
|
|
|a Computermedien
|b c
|2 rdamedia
|
338 |
|
|
|a Online-Ressource
|b cr
|2 rdacarrier
|
520 |
|
|
|a Software vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public advisory so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The market-based infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement toward such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counterintuitive result is attributed to the market-based infomediary's incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. Even a regulated market-based mechanism performs better than a CERT-type one, but only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism--federally funded social planner--always performs better than a market-based mechanism.
|
540 |
|
|
|a Copyright 2005 INFORMS
|
650 |
|
4 |
|a information security
|
650 |
|
4 |
|a software vulnerabilities
|
650 |
|
4 |
|a vulnerability disclosure
|
650 |
|
4 |
|a game theory
|
650 |
|
4 |
|a public policy
|
650 |
|
4 |
|a Economics
|x Economic disciplines
|x Financial economics
|x Financial markets
|x Market mechanisms
|
650 |
|
4 |
|a Information science
|x Library science
|x Library operations
|x Identifiers
|
650 |
|
4 |
|a Applied sciences
|x Computer science
|x Computer engineering
|x Computer software
|
650 |
|
4 |
|a Economics
|x Economic disciplines
|x Financial economics
|x Finance
|x Financial instruments
|x Financial securities
|
650 |
|
4 |
|a Mathematics
|x Applied mathematics
|x Management science
|
650 |
|
4 |
|a Information science
|x Information management
|x Information sharing
|
650 |
|
4 |
|a Mathematics
|x Mathematical expressions
|
650 |
|
4 |
|a Business
|x Business operations
|x Commerce
|x Trade
|x Vendors
|
650 |
|
4 |
|a Business
|x Business operations
|x Commerce
|x Financial transactions
|x Payments
|x Fees
|
650 |
|
4 |
|a Applied sciences
|x Computer science
|x Computer engineering
|x Cybersecurity
|
650 |
|
4 |
|a Economics
|x Economic disciplines
|x Financial economics
|x Financial markets
|x Market mechanisms
|
650 |
|
4 |
|a Information science
|x Library science
|x Library operations
|x Identifiers
|
650 |
|
4 |
|a Applied sciences
|x Computer science
|x Computer engineering
|x Computer software
|
650 |
|
4 |
|a Economics
|x Economic disciplines
|x Financial economics
|x Finance
|x Financial instruments
|x Financial securities
|
650 |
|
4 |
|a Mathematics
|x Applied mathematics
|x Management science
|
650 |
|
4 |
|a Information science
|x Information management
|x Information sharing
|
650 |
|
4 |
|a Mathematics
|x Mathematical expressions
|
650 |
|
4 |
|a Business
|x Business operations
|x Commerce
|x Trade
|x Vendors
|
650 |
|
4 |
|a Business
|x Business operations
|x Commerce
|x Financial transactions
|x Payments
|x Fees
|
650 |
|
4 |
|a Applied sciences
|x Computer science
|x Computer engineering
|x Cybersecurity
|
655 |
|
4 |
|a research-article
|
700 |
1 |
|
|a Telang, Rahul
|e verfasserin
|4 aut
|
773 |
0 |
8 |
|i Enthalten in
|t Management Science
|d Institute for Operations Research and the Management Sciences, 1954
|g 51(2005), 5, Seite 726-740
|w (DE-627)320623602
|w (DE-600)2023019-9
|x 15265501
|7 nnns
|
773 |
1 |
8 |
|g volume:51
|g year:2005
|g number:5
|g pages:726-740
|
856 |
4 |
0 |
|u https://www.jstor.org/stable/20110369
|3 Volltext
|
912 |
|
|
|a GBV_USEFLAG_A
|
912 |
|
|
|a SYSFLAG_A
|
912 |
|
|
|a GBV_JST
|
912 |
|
|
|a GBV_ILN_11
|
912 |
|
|
|a GBV_ILN_20
|
912 |
|
|
|a GBV_ILN_22
|
912 |
|
|
|a GBV_ILN_23
|
912 |
|
|
|a GBV_ILN_24
|
912 |
|
|
|a GBV_ILN_31
|
912 |
|
|
|a GBV_ILN_32
|
912 |
|
|
|a GBV_ILN_39
|
912 |
|
|
|a GBV_ILN_40
|
912 |
|
|
|a GBV_ILN_60
|
912 |
|
|
|a GBV_ILN_62
|
912 |
|
|
|a GBV_ILN_63
|
912 |
|
|
|a GBV_ILN_65
|
912 |
|
|
|a GBV_ILN_69
|
912 |
|
|
|a GBV_ILN_70
|
912 |
|
|
|a GBV_ILN_90
|
912 |
|
|
|a GBV_ILN_95
|
912 |
|
|
|a GBV_ILN_100
|
912 |
|
|
|a GBV_ILN_110
|
912 |
|
|
|a GBV_ILN_120
|
912 |
|
|
|a GBV_ILN_151
|
912 |
|
|
|a GBV_ILN_152
|
912 |
|
|
|a GBV_ILN_187
|
912 |
|
|
|a GBV_ILN_224
|
912 |
|
|
|a GBV_ILN_285
|
912 |
|
|
|a GBV_ILN_374
|
912 |
|
|
|a GBV_ILN_702
|
912 |
|
|
|a GBV_ILN_2001
|
912 |
|
|
|a GBV_ILN_2003
|
912 |
|
|
|a GBV_ILN_2005
|
912 |
|
|
|a GBV_ILN_2006
|
912 |
|
|
|a GBV_ILN_2007
|
912 |
|
|
|a GBV_ILN_2008
|
912 |
|
|
|a GBV_ILN_2009
|
912 |
|
|
|a GBV_ILN_2010
|
912 |
|
|
|a GBV_ILN_2011
|
912 |
|
|
|a GBV_ILN_2014
|
912 |
|
|
|a GBV_ILN_2015
|
912 |
|
|
|a GBV_ILN_2018
|
912 |
|
|
|a GBV_ILN_2020
|
912 |
|
|
|a GBV_ILN_2021
|
912 |
|
|
|a GBV_ILN_2026
|
912 |
|
|
|a GBV_ILN_2027
|
912 |
|
|
|a GBV_ILN_2034
|
912 |
|
|
|a GBV_ILN_2044
|
912 |
|
|
|a GBV_ILN_2048
|
912 |
|
|
|a GBV_ILN_2050
|
912 |
|
|
|a GBV_ILN_2055
|
912 |
|
|
|a GBV_ILN_2056
|
912 |
|
|
|a GBV_ILN_2057
|
912 |
|
|
|a GBV_ILN_2059
|
912 |
|
|
|a GBV_ILN_2061
|
912 |
|
|
|a GBV_ILN_2065
|
912 |
|
|
|a GBV_ILN_2068
|
912 |
|
|
|a GBV_ILN_2106
|
912 |
|
|
|a GBV_ILN_2107
|
912 |
|
|
|a GBV_ILN_2108
|
912 |
|
|
|a GBV_ILN_2111
|
912 |
|
|
|a GBV_ILN_2112
|
912 |
|
|
|a GBV_ILN_2113
|
912 |
|
|
|a GBV_ILN_2118
|
912 |
|
|
|a GBV_ILN_2122
|
912 |
|
|
|a GBV_ILN_2129
|
912 |
|
|
|a GBV_ILN_2143
|
912 |
|
|
|a GBV_ILN_2147
|
912 |
|
|
|a GBV_ILN_2148
|
912 |
|
|
|a GBV_ILN_2152
|
912 |
|
|
|a GBV_ILN_2153
|
912 |
|
|
|a GBV_ILN_2190
|
912 |
|
|
|a GBV_ILN_2232
|
912 |
|
|
|a GBV_ILN_2472
|
912 |
|
|
|a GBV_ILN_2935
|
912 |
|
|
|a GBV_ILN_2940
|
912 |
|
|
|a GBV_ILN_2949
|
912 |
|
|
|a GBV_ILN_2950
|
912 |
|
|
|a GBV_ILN_4012
|
912 |
|
|
|a GBV_ILN_4035
|
912 |
|
|
|a GBV_ILN_4037
|
912 |
|
|
|a GBV_ILN_4046
|
912 |
|
|
|a GBV_ILN_4112
|
912 |
|
|
|a GBV_ILN_4125
|
912 |
|
|
|a GBV_ILN_4126
|
912 |
|
|
|a GBV_ILN_4242
|
912 |
|
|
|a GBV_ILN_4246
|
912 |
|
|
|a GBV_ILN_4249
|
912 |
|
|
|a GBV_ILN_4251
|
912 |
|
|
|a GBV_ILN_4305
|
912 |
|
|
|a GBV_ILN_4306
|
912 |
|
|
|a GBV_ILN_4307
|
912 |
|
|
|a GBV_ILN_4313
|
912 |
|
|
|a GBV_ILN_4322
|
912 |
|
|
|a GBV_ILN_4323
|
912 |
|
|
|a GBV_ILN_4324
|
912 |
|
|
|a GBV_ILN_4325
|
912 |
|
|
|a GBV_ILN_4326
|
912 |
|
|
|a GBV_ILN_4335
|
912 |
|
|
|a GBV_ILN_4338
|
912 |
|
|
|a GBV_ILN_4346
|
912 |
|
|
|a GBV_ILN_4393
|
912 |
|
|
|a GBV_ILN_4700
|
951 |
|
|
|a AR
|
952 |
|
|
|d 51
|j 2005
|e 5
|h 726-740
|