Appendix for Network Software Security and User Incentives

Proof of Lemma 1: In order to characterize the equilibrium, we first start with the second period decisions for the consumers who purchased the product in the first period. If, in the second period, no vulnerabilities arise then there is no decision to make for a consumer. Suppose a vulnerability arises. If a consumer with valuation v decides to patch the software, her expected total payoff is v− p− cp. Notice that the consumer only incurs a patching cost when vulnerabilities actually occur. Suppose she decides not to patch and the total mass of unpatched population is u. In this case, her expected payoff is v − p − πuαv. Therefore, a consumer who buys the product patches in the second period in case a security vulnerability is revealed if and only if v≥ cp πuα . (A.1)