Market for Software Vulnerabilities? Think Again

Market for Software Vulnerabilities? Think Again

Software vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulne...

Ausführliche Beschreibung

Bibliographische Detailangaben
Veröffentlicht in:Management Science. - Institute for Operations Research and the Management Sciences, 1954. - 51(2005), 5, Seite 726-740
1. Verfasser: Kannan, Karthik (VerfasserIn)
Weitere Verfasser: Telang, Rahul
Format: Online-Aufsatz
Sprache:English
Veröffentlicht: 2005
Zugriff auf das übergeordnete Werk:Management Science
Schlagworte:information security software vulnerabilities vulnerability disclosure game theory public policy Economics Information science Applied sciences Mathematics Business
LEADER 01000caa a22002652 4500
001 JST056227280
003 DE-627
005 20240622021204.0
007 cr uuu---uuuuu
008 150324s2005 xx |||||o 00| ||eng c
035 |a (DE-627)JST056227280 
035 |a (JST)20110369 
040 |a DE-627  |b ger  |c DE-627  |e rakwb 
041 |a eng 
100 1 |a Kannan, Karthik  |e verfasserin  |4 aut 
245 1 0 |a Market for Software Vulnerabilities? Think Again 
264 1 |c 2005 
336 |a Text  |b txt  |2 rdacontent 
337 |a Computermedien  |b c  |2 rdamedia 
338 |a Online-Ressource  |b cr  |2 rdacarrier 
520 |a Software vulnerability disclosure has become a critical area of concern for policymakers. Traditionally, a Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public advisory so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The market-based infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement toward such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated market-based mechanism for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counterintuitive result is attributed to the market-based infomediary's incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. Even a regulated market-based mechanism performs better than a CERT-type one, but only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism--federally funded social planner--always performs better than a market-based mechanism. 
540 |a Copyright 2005 INFORMS 
650 4 |a information security 
650 4 |a software vulnerabilities 
650 4 |a vulnerability disclosure 
650 4 |a game theory 
650 4 |a public policy 
650 4 |a Economics  |x Economic disciplines  |x Financial economics  |x Financial markets  |x Market mechanisms 
650 4 |a Information science  |x Library science  |x Library operations  |x Identifiers 
650 4 |a Applied sciences  |x Computer science  |x Computer engineering  |x Computer software 
650 4 |a Economics  |x Economic disciplines  |x Financial economics  |x Finance  |x Financial instruments  |x Financial securities 
650 4 |a Mathematics  |x Applied mathematics  |x Management science 
650 4 |a Information science  |x Information management  |x Information sharing 
650 4 |a Mathematics  |x Mathematical expressions 
650 4 |a Business  |x Business operations  |x Commerce  |x Trade  |x Vendors 
650 4 |a Business  |x Business operations  |x Commerce  |x Financial transactions  |x Payments  |x Fees 
650 4 |a Applied sciences  |x Computer science  |x Computer engineering  |x Cybersecurity 
650 4 |a Economics  |x Economic disciplines  |x Financial economics  |x Financial markets  |x Market mechanisms 
650 4 |a Information science  |x Library science  |x Library operations  |x Identifiers 
650 4 |a Applied sciences  |x Computer science  |x Computer engineering  |x Computer software 
650 4 |a Economics  |x Economic disciplines  |x Financial economics  |x Finance  |x Financial instruments  |x Financial securities 
650 4 |a Mathematics  |x Applied mathematics  |x Management science 
650 4 |a Information science  |x Information management  |x Information sharing 
650 4 |a Mathematics  |x Mathematical expressions 
650 4 |a Business  |x Business operations  |x Commerce  |x Trade  |x Vendors 
650 4 |a Business  |x Business operations  |x Commerce  |x Financial transactions  |x Payments  |x Fees 
650 4 |a Applied sciences  |x Computer science  |x Computer engineering  |x Cybersecurity 
655 4 |a research-article 
700 1 |a Telang, Rahul  |e verfasserin  |4 aut 
773 0 8 |i Enthalten in  |t Management Science  |d Institute for Operations Research and the Management Sciences, 1954  |g 51(2005), 5, Seite 726-740  |w (DE-627)320623602  |w (DE-600)2023019-9  |x 15265501  |7 nnns 
773 1 8 |g volume:51  |g year:2005  |g number:5  |g pages:726-740 
856 4 0 |u https://www.jstor.org/stable/20110369  |3 Volltext 
912 |a GBV_USEFLAG_A 
912 |a SYSFLAG_A 
912 |a GBV_JST 
912 |a GBV_ILN_11 
912 |a GBV_ILN_20 
912 |a GBV_ILN_22 
912 |a GBV_ILN_23 
912 |a GBV_ILN_24 
912 |a GBV_ILN_31 
912 |a GBV_ILN_32 
912 |a GBV_ILN_39 
912 |a GBV_ILN_40 
912 |a GBV_ILN_60 
912 |a GBV_ILN_62 
912 |a GBV_ILN_63 
912 |a GBV_ILN_65 
912 |a GBV_ILN_69 
912 |a GBV_ILN_70 
912 |a GBV_ILN_90 
912 |a GBV_ILN_95 
912 |a GBV_ILN_100 
912 |a GBV_ILN_110 
912 |a GBV_ILN_120 
912 |a GBV_ILN_151 
912 |a GBV_ILN_152 
912 |a GBV_ILN_187 
912 |a GBV_ILN_224 
912 |a GBV_ILN_285 
912 |a GBV_ILN_374 
912 |a GBV_ILN_702 
912 |a GBV_ILN_2001 
912 |a GBV_ILN_2003 
912 |a GBV_ILN_2005 
912 |a GBV_ILN_2006 
912 |a GBV_ILN_2007 
912 |a GBV_ILN_2008 
912 |a GBV_ILN_2009 
912 |a GBV_ILN_2010 
912 |a GBV_ILN_2011 
912 |a GBV_ILN_2014 
912 |a GBV_ILN_2015 
912 |a GBV_ILN_2018 
912 |a GBV_ILN_2020 
912 |a GBV_ILN_2021 
912 |a GBV_ILN_2026 
912 |a GBV_ILN_2027 
912 |a GBV_ILN_2034 
912 |a GBV_ILN_2044 
912 |a GBV_ILN_2048 
912 |a GBV_ILN_2050 
912 |a GBV_ILN_2055 
912 |a GBV_ILN_2056 
912 |a GBV_ILN_2057 
912 |a GBV_ILN_2059 
912 |a GBV_ILN_2061 
912 |a GBV_ILN_2065 
912 |a GBV_ILN_2068 
912 |a GBV_ILN_2106 
912 |a GBV_ILN_2107 
912 |a GBV_ILN_2108 
912 |a GBV_ILN_2111 
912 |a GBV_ILN_2112 
912 |a GBV_ILN_2113 
912 |a GBV_ILN_2118 
912 |a GBV_ILN_2122 
912 |a GBV_ILN_2129 
912 |a GBV_ILN_2143 
912 |a GBV_ILN_2147 
912 |a GBV_ILN_2148 
912 |a GBV_ILN_2152 
912 |a GBV_ILN_2153 
912 |a GBV_ILN_2190 
912 |a GBV_ILN_2232 
912 |a GBV_ILN_2472 
912 |a GBV_ILN_2935 
912 |a GBV_ILN_2940 
912 |a GBV_ILN_2949 
912 |a GBV_ILN_2950 
912 |a GBV_ILN_4012 
912 |a GBV_ILN_4035 
912 |a GBV_ILN_4037 
912 |a GBV_ILN_4046 
912 |a GBV_ILN_4112 
912 |a GBV_ILN_4125 
912 |a GBV_ILN_4126 
912 |a GBV_ILN_4242 
912 |a GBV_ILN_4246 
912 |a GBV_ILN_4249 
912 |a GBV_ILN_4251 
912 |a GBV_ILN_4305 
912 |a GBV_ILN_4306 
912 |a GBV_ILN_4307 
912 |a GBV_ILN_4313 
912 |a GBV_ILN_4322 
912 |a GBV_ILN_4323 
912 |a GBV_ILN_4324 
912 |a GBV_ILN_4325 
912 |a GBV_ILN_4326 
912 |a GBV_ILN_4335 
912 |a GBV_ILN_4338 
912 |a GBV_ILN_4346 
912 |a GBV_ILN_4393 
912 |a GBV_ILN_4700 
951 |a AR 
952 |d 51  |j 2005  |e 5  |h 726-740