A Reputation-Based Mechanism for Software Vulnerability Disclosure
نویسنده
چکیده
Whether and how to disclose software vulnerability information has been debated intensely. An optimal disclosure policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software vulnerability primarily focused on the timing aspect of the disclosure policy. In this paper, we investigate another dimension -the reputation aspect -of the disclosure policy. We propose a disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release vulnerability details to optimize social welfare.
منابع مشابه
An Economic Analysis of Market for Software Vulnerabilities
Software vulnerability disclosure has become a critical area of concern for policy-makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report vulnerability information voluntarily) and software users. After verifying a reported vulnerability, the infomediary – CERT – sends out a public “advisory” so that users can safe...
متن کاملVulnerability Disclosure: The Strange Case of Bret McDanel
Responsible developers work hard to produce secure, reliable, and efficient software packages. No company wants its integrity compromised by hackers, employees, or legitimate users. Negative publicity damages a firm’s reputation. Legal proceedings can cost an organization millions and destroy any chance of long-term success. Realistically, few products are released without security flaws. Progr...
متن کاملMarket for Software Vulnerabilities? Think Again
Software vulnerability disclosure has become a critical area of concern for policy-makers. Traditionally, Computer Emergency Response Team (CERT) acts as an infomediary between benign identifiers (who voluntarily report vulnerability information) and software users. After verifying a reported vulnerability, CERT sends out a public “advisory” so that users can safeguard their systems against pot...
متن کاملA Quest for a Framework to Improve Software Security: Vulnerability Black Markets Scenario
The discovery and management of software vulnerabilities after a product is released to the public is an important element of improving software quality and stability. The discovery of vulnerabilities enables exploitation and stimulates the development of patches or other protections, which in turn may or may not be deployed by product users. Various approaches have been developed to facilitate...
متن کاملVulnerability Disclosure and Software Provision
Internet Security, Vulnerability Disclosure and Software Provision* In this paper, we examine how software vulnerabilities affect firms that license software and consumers that purchase software. In particular, we model three decisions of the firm: (i) an upfront investment in the quality of the software to reduce potential vulnerabilities; (ii) a policy decision whether to announce vulnerabili...
متن کامل