Optimal Policy for Software Vulnerability Disclosure1

Software vulnerabilities represent a serious threat to cyber security, most cyber-attacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus CERT/CC and similar bodies acting in the public interest can use disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of disclosure. We formulate a model involving a social planner who sets the disclosure policy and a vendor who decides on the patch release. We show that the vendor typically release the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly and sometimes the patch release time coincides with disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always results in a better patch quality. Another extension allows for some fraction of users to use “work-arounds”. We show that the possibility of work-arounds can provide the social planner more leverage and hence the social planner shrinks the protected period. Interestingly, possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who can use the work-arounds on the users who can not. Keyword: Economics of Cyber-Security, Software Vulnerability, Disclosure Policy, Instant Disclosure, Patching, Patch Quality. forthcoming: Management Science 1 The authors thank the participants at the Third workshop on Economics and Information Security (WEIS 2004), Minneapolis, the Ninth INFORMS Conference on Information Systems and Technology (CIST) 2004, Denver, the ZEW Conference in Mannheim (2005) and seminar participants at Stanford University, for their valuable feedback. We also thank the DE, the AE, and two anonymous reviewers for many valuable suggestions, and Ed Barr for suggesting many improvements in the writing. This research was partially supported through a grant from Cylab, Carnegie Mellon University. Rahul Telang acknowledges the generous support of National Science Foundation through the CAREER award CNS 0546009. “First, the Nation needs a better-defined approach to the disclosure of vulnerabilities. The issue is complex because exposing vulnerabilities both helps speed the development of solutions and also creates opportunities for would be attackers.” The National Strategy to Secure Cyberspace, (2003: p 33)