An Economic Analysis of Market for Software Vulnerabilities

Software vulnerability disclosure has become a critical area of concern for policy-makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and software users. After verifying a reported vulnerability, the infomediary – CERT – sends out a public “advisory” so that users can safeguard their systems against potential exploits. Of late, firms such as iDefense have been implementing a different market-based approach for vulnerability disclosure where the “market-based” infomediary provides monetary rewards to identifiers for each vulnerability disclosed to it. The infomediary shares this information with its client base. Using this information, clients protect themselves against attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Our analysis demonstrates that an active “market-based mechanism” for vulnerabilities almost always underperforms a passive CERT-type mechanism. We provide intuitions to this counter-intuitive result. Further, our paper provides policy recommendations that improve the relative performance of the market-based mechanism though not completely. Finally, we extend our analysis and analyze a new mechanism – “Federally-Funded Social Planner” – that always performs better than a market-based mechanism.