An Empirical Analysis of Vendor Response to Disclosure Policy

Software vulnerability disclosure has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. Does vulnerability disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and Security Focus databases to answer this question. Our results suggest that early disclosure has significant positive impact on the vendor patching speed. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond slower to vulnerabilities not disclosed by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the vulnerability analysis by CERT/CC. We also find that vendors are more responsible after the 9/11 event.