Market for Software Vulnerabilities? Think Again

Software vulnerability disclosure has become a critical area of concern for policy-makers. Traditionally, Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public “advisory” so that users can safeguard their systems against potential exploits. Lately, firms such as iDefense have been implementing a new market-based approach for vulnerability information. The “market-based” infomediary provides monetary rewards to identifiers for each vulnerability reported. The infomediary then shares this information with its client base. Using this information, clients protect themselves against potential attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active unregulated “market-based mechanism” for vulnerabilities almost always underperforms a passive CERT-type mechanism. This counter-intuitive result is attributed to the market-based infomediary’s incentive to leak the vulnerability information inappropriately. If a profit-maximizing firm is not allowed to (or chooses not to) leak vulnerability information, we find that social welfare improves. But even a regulated market-based mechanism performs better than a CERT-type one, only under certain conditions. Finally, we extend our analysis and show that a proposed mechanism – “federally-funded social planner” – always performs better than a market-based mechanism. Forthcoming, Management Science ∗Authors would like to thank Charalambos Aliprantis, Ashish Arora, Jonathan P. Caulkins, Prabuddha De, Ramayya Krishnan, Jackie Reese, Drew Saunders, the department editor, the associate editor and the two anonymous reviewers for providing valuable suggestions. We also thank seminar participants at Purdue University, Carnegie Mellon University, HICSS 2004 and WEIS 2004 for their feedback. We notably appreciate the effort of Hao Xu in the making of this paper. †Krannert School of Management, Purdue University, [email protected] ‡H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, [email protected]