Efficiency of Vulnerability Disclosure Mechanisms to Disseminate Vulnerability Knowledge

TLDR: It is found that the characteristics of the vulnerability (vulnerability risk before and after disclosure), cost structure of the software user population, and vendor's incentives to develop a patch determine the optimal (responsible) vulnerability disclosure.

Abstract: Security vulnerabilities in software are one of the primary reasons for security breaches, and an important challenge from knowledge management perspective is to determine how to manage the disclosure of knowledge about those vulnerabilities. The security community has proposed several disclosure mechanisms, such as full vendor, immediate public, and hybrid, and has debated about the merits and demerits of these alternatives. In this paper, we study how vulnerabilities should be disclosed to minimize the social loss. We find that the characteristics of the vulnerability (vulnerability risk before and after disclosure), cost structure of the software user population, and vendor's incentives to develop a patch determine the optimal (responsible) vulnerability disclosure. We show that, unlike some existing vulnerability disclosure mechanisms that fail to motivate the vendor to release its patch, responsible vulnerability disclosure policy always ensures the release of a patch. However, we find that this is not because of the threat of public disclosure, as argued by some security practitioners. In fact, not restricting the vendor with a time constraint can ensure the patch release. This result runs counter to the argument of some that setting a grace period always pushes the vendor to develop a patch. When the vulnerability affects multiple vendors, we show that the responsible disclosure policy cannot ensure that every vendor will release a patch. However, when the optimal policy does elicit a patch from each vendor, we show that the coordinator's grace period in the multiple vendor case falls between the grace periods that it would set individually for the vendors in the single vendor case. This implies that the coordinator does not necessarily increase the grace period to accommodate more vendors. We then extend our base model to analyze the impact of 1) early discovery and 2) an early warning system that provides privileged vulnerability knowledge to selected users before the release of a patch for the vulnerability on responsible vulnerability disclosure. We show that while early discovery always improves the social welfare, an early warning system does not necessarily improve the social welfare