Software vulnerabilities represent a serious threat: most cyber-attacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure - white-hats who discover vulnerabilities, security mailing lists and CERT follow different ad-hoc policies. This paper develops a framework to analyze the optimal timing of disclosure policy (time given to vendor to patch the vulnerability). Disclosure policy indirectly affects how the speed and quality of the patch that a vendor develops, and thus CERT and similar bodies acting in the public interest can use it to influence behavior of vendors and reduce social cost. This paper formulates a game-theoretic model involving a social planner who sets disclosure policy and a vendor who decides on patching. It is shown that vendors always choose to patch later than a socially optimal disclosure time. The social planner can optimally shrink the time window of disclosure to push vendors to deliver patch in a timely manner. The basic model is extended in a number of directions, most importantly, allowing for the proportion of users implementing patches to depend upon the quality of the patch, which is itself a choice variable for the vendor. The paper provides a decision framework for understanding how disclosure timing may affect vendor’s decision and in turn, what should a policy maker do.
Adobe .pdf files require the Adobe Acrobat Reader.
Download and install the Adobe Acrobat Reader.