Researchers: Ashish Arora
Cross Cutting Thrusts: Software Security
Response to Software Vulnerabilities
"Response to Software Vulnerabilities" addresses important questions inherent to software vendors and users alike by examining alternative public policies regarding the disclosure of vulnerability information.
Utilizing industry sources and case studies, this project includes two main components. The first component models the fundamental decision process faced by software companies when determining an optimal disclosure rule for vulnerability information. This involves formally examining the tradeoff inherent in any decision along with the associated economic incentives and risks. Key parameters/stakeholders included in this model are software vendors, users, and attackers.
The second component of the project models firms' reactions to software vulnerabilities. The model studies the various decisions made and actions taken by firms regarding vulnerabilities and the timeframe of vulnerability correction. By examining the variation in the correction timeframe between firms, types of vulnerabilities and source type, the model should allow for identification of a correlation between the response rate to vulnerabilities and firm type, vulnerability type, and/or source.
Overall, this project provides valuable insight into the decision making process among firms in responding to software vulnerabilities, and the type and structure of firms that do respond. This project will yield valuable information on optimal policies regarding vulnerability disclosure, and help inform current debates surrounding information security.