Optimal Policy for Software Vulnerability Disclosure

Disclosing vulnerabilities in a timely fashion is a real and ever more important policy question. Late disclosure reduces the time window that customers are exposed to attacks, but decreases vendor’s willingness to deliver quick patch. Currently, there is little or no guidance with each organization following it own ad-hoc policy. This paper is to demonstrate how through optimal timing of disclosure policy (time given to vendor to patch the vulnerability), policy makers can influence behavior of vendors and reduce social cost. We formulate a game-theoretic model. We show that vendors always choose to patch later than a socially optimal disclosure time. Social planner can optimally shrink the time window of disclosure to push vendors to deliver patch in a timely manner. We show that, in general, neither instant disclosure nor non-disclosure is optimal. We then extend the model to allow uncertainty in developing patch and show that increasing uncertainty incurs more cost and vendor delivers quicker patch. In response to larger uncertainty, social planner should shrink the time window. We further extend the model so that the proportion of users implementing patches depends on both the time elapsed and the quality of the patch as well. The corresponding optimal policy is more flexible-vendors have more time to develop a higher-quality patch. Our paper provides a decision tool in understanding how disclosure timing may affect vendor’s decision and in turn, what should a policy maker do.