DocumentCode :
1085802
Title :
Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge
Author :
Cavusoglu, Hasan ; Cavusoglu, Hasan ; Raghunathan, Srinivasan
Author_Institution :
Sander Sch. of Bus., British Columbia Univ., Vancouver, BC
Volume :
33
Issue :
3
fYear :
2007
fDate :
3/1/2007 12:00:00 AM
Firstpage :
171
Lastpage :
185
Abstract :
Security vulnerabilities in software are one of the primary reasons for security breaches, and an important challenge from knowledge management perspective is to determine how to manage the disclosure of knowledge about those vulnerabilities. The security community has proposed several disclosure mechanisms, such as full vendor, immediate public, and hybrid, and has debated about the merits and demerits of these alternatives. In this paper, we study how vulnerabilities should be disclosed to minimize the social loss. We find that the characteristics of the vulnerability (vulnerability risk before and after disclosure), cost structure of the software user population, and vendor´s incentives to develop a patch determine the optimal (responsible) vulnerability disclosure. We show that, unlike some existing vulnerability disclosure mechanisms that fail to motivate the vendor to release its patch, responsible vulnerability disclosure policy always ensures the release of a patch. However, we find that this is not because of the threat of public disclosure, as argued by some security practitioners. In fact, not restricting the vendor with a time constraint can ensure the patch release. This result runs counter to the argument of some that setting a grace period always pushes the vendor to develop a patch. When the vulnerability affects multiple vendors, we show that the responsible disclosure policy cannot ensure that every vendor will release a patch. However, when the optimal policy does elicit a patch from each vendor, we show that the coordinator´s grace period in the multiple vendor case falls between the grace periods that it would set individually for the vendors in the single vendor case. This implies that the coordinator does not necessarily increase the grace period to accommodate more vendors. We then extend our base model to analyze the impact of 1) early discovery and 2) an early warning system that provides privileged vulnerability knowledge to selected use- rs before the release of a patch for the vulnerability on responsible vulnerability disclosure. We show that while early discovery always improves the social welfare, an early warning system does not necessarily improve the social welfare
Keywords :
DP industry; knowledge management; security of data; software cost estimation; software development management; software reliability; early discovery system; early warning system; economic modeling; information security; knowledge management perspective; security breach; social welfare; software cost structure; software patch release; software security vulnerability risk disclosure mechanism; software vendor incentives; vulnerability knowledge dissemination; Alarm systems; Computer hacking; Cost function; Counting circuits; Game theory; Helium; Information security; Internet; Knowledge management; Time factors; Information security; disclosure mechanisms; economic modeling; game theory.; responsible vulnerability disclosure; software vulnerabilities;
fLanguage :
English
Journal_Title :
Software Engineering, IEEE Transactions on
Publisher :
ieee
ISSN :
0098-5589
Type :
jour
DOI :
10.1109/TSE.2007.26
Filename :
4084135
Link To Document :
بازگشت