Software vulnerability disclosure and security investment

L'impact de la divulgation d’une faille de sécurité: au-delà des motivations de l’éditeur de logiciel

Arrah-Marie Jo ()
Additional contact information
Arrah-Marie Jo: MARSOUIN - Môle Armoricain de Recherche sur la SOciété de l'information et des usages d'INternet - UR - Université de Rennes - UBS - Université de Bretagne Sud - ENSAI - Ecole Nationale de la Statistique et de l'Analyse de l'Information [Bruz] - UBO - Université de Brest - IMT - Institut Mines-Télécom [Paris] - UR2 - Université de Rennes 2 - UBL - Université Bretagne Loire - IMT Atlantique - IMT Atlantique - IMT - Institut Mines-Télécom [Paris], LEGO - Laboratoire d'Economie et de Gestion de l'Ouest - UBS - Université de Bretagne Sud - UBO - Université de Brest - IMT - Institut Mines-Télécom [Paris] - IBSHS - Institut Brestois des Sciences de l'Homme et de la Société - UBO - Université de Brest - UBL - Université Bretagne Loire - IMT Atlantique - IMT Atlantique - IMT - Institut Mines-Télécom [Paris], IMT Atlantique - LUSSI - Département Logique des Usages, Sciences sociales et Sciences de l'Information - IMT Atlantique - IMT Atlantique - IMT - Institut Mines-Télécom [Paris]

Post-Print from HAL

Abstract: Around the debate on software vulnerability disclosure, existing works have mostly explored how disclosure gives an incentive to software vendors to better secure their software. The role of third parties such as business users, security firms or downstream software vendors is rarely taken account, while in fact these actors are increasingly involved in improving the security of a software. In this paper, we argue that vulnerability disclosure may act as a signal that revises the perceived security quality of the affected software and we examine how it affects the level of security effort exerted by different actors. Using data from 2009 to 2018 on a public vulnerability database, we show that after the disclosure of a critical vulnerability, the vulnerability research activity on the software that is subject to the disclosure significantly increases compared to the control group of unaffected software. In particular, vulnerability disclosure has a greater impact on actors who perceive the disclosure as an opportunity to find new security flaw and to financially benefit from it (such as the security firms and individual researchers) than on those who suffer the security risks (such as users and downstream vendors).

Keywords: information security economics; software vulnerability disclosure; vulnerability discovery; software security (search for similar items in EconPapers)
Date: 2019-06-03
Note: View the original document on HAL open archive server: https://hal.science/hal-03033198v1
References: View references in EconPapers View complete reference list from CitEc
Citations:

Published in Workshop on the Economics of Information Security (WEIS 2019), Boston College; Harvard University, Jun 2019, Boston, MA, United States

Downloads: (external link)
https://hal.science/hal-03033198v1/document (application/pdf)

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:hal:journl:hal-03033198

Access Statistics for this paper

More papers in Post-Print from HAL
Bibliographic data for series maintained by CCSD ().