A Comparison of Market Approaches to Software Vulnerability Disclosure

  • Rainer Böhme
Part of the Lecture Notes in Computer Science book series (LNCS, volume 3995)

Abstract

Practical computer (in)security is largely driven by the existence of and knowledge about vulnerabilities, which can be exploited to breach security mechanisms. Although the discussion on details of responsible vulnerability disclosure is controversial, there is a sort of consensus that better information sharing is socially beneficial. In the recent years we observe the emerging of “vulnerability markets” as means to stimulate exchange of information. However, this term subsumes a broad range of different concepts, which are prone to confusion. This paper provides a first attempt to structure the field by (1) proposing a terminology for distinct concepts and (2) defining criteria to allow for a better comparability between different approaches. An application of this framework on four market types shows notable differences between the approaches.

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. 1.
    Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. In: Workshop on the Economics of Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/xu.pdf
  2. 2.
    Arora, A., Krishnan, R., Telang, R., Yang, Y.: An empirical analysis of vendor response to software vulnerability disclosure. In: Workshop on Information Systems and Economics (WISE), University of California, Irvine, CA (2005)Google Scholar
  3. 3.
    Nizovtsev, D., Thursby, M.: Economic incentives to disclose software vulnerabilities. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005), http://infosecon.net/workshop/pdf/20.pdf
  4. 4.
    Rescorla, E.: Is finding security holes a good idea? In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/rescorla.pdf
  5. 5.
    Anderson, R.J.: Why information security is hard – An economic perspective (2001), http://www.cl.cam.ac.uk/~rja14/econsec.html
  6. 6.
    Akerlof, G.A.: The market for ‘lemons’: Quality, uncertainty and the market mechanism. Quarterly Journal of Economics 84, 488–500 (1970)CrossRefGoogle Scholar
  7. 7.
    Shapiro, C., Varian, H.R.: Information Rules. A Strategic Guide to the Network Economy. Harvard Business School Press, Boston (1998)Google Scholar
  8. 8.
    Hardin, G.: The tragedy of the commons. Science 162, 1243–1248 (1968)CrossRefGoogle Scholar
  9. 9.
    Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D., et al. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)CrossRefGoogle Scholar
  10. 10.
    Varian, H.R.: System reliability and free riding. In: Workshop on Economics and Information Security (WEIS), Berkeley, CA (2002), http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/
  11. 11.
    Varian, H.R.: Managing online security risks. New York Times (2000), http://www.nytimes.com/library/financial/columns/060100econ-scene.html
  12. 12.
    Ryan, D.J., Heckmann, C.: Two views on security software liability. IEEE Security & Privacy 1, 70–75 (2003)CrossRefGoogle Scholar
  13. 13.
    Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, MA (2004)Google Scholar
  14. 14.
    Camp, J.L., Wolfram, C.: Pricing security. In: Proc. of the CERT Information Survivability Workshop, Boston, MA, pp. 31–39 (2000), http://www.cert.org/research/isw/isw2000/papers/54.pdf
  15. 15.
    Downs, A.: An Economic Theory of Democracy. Harper and Brothers, New York (1957)Google Scholar
  16. 16.
    Stigler, G.J.: The Citizen and the State: Essays on Regulation. University Press, Chicago (1975)Google Scholar
  17. 17.
    Ozment, A.: Bug auctions: Vulnerability markets reconsidered. In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/ozment.pdf
  18. 18.
    Böhme, R.: Vulnerability markets – What is the economic value of a zero-day exploit? In: Proc. of 22C3: Private Investigations, Berlin, Germany (2005), https://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_22C3_VulnerabilityMarkets.pdf
  19. 19.
    Kannan, K., Telang, R.: An economic analysis of markets for software vulnerabilities. In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/kannan-telang.pdf
  20. 20.
    Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)Google Scholar
  21. 21.
    Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46, 81–85 (2003)CrossRefGoogle Scholar
  22. 22.
    Kesan, J.P., Majuca, R.P., Yurcik, W.J.: The economic case for cyberinsurance. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/42.pdf Google Scholar
  23. 23.
    Schneier, B.: Hacking the business climate for network security. IEEE Computer, 87–89 (2004)Google Scholar
  24. 24.
    Yurcik, W., Doss, D.: Cyberinsurance: A market solution to the internet security market failure. In: Workshop on Economics and Information Security (WEIS). Berkeley, CA (2002), http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/
  25. 25.
    Böhme, R.: Cyberinsurance revisited. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/15.pdf Google Scholar
  26. 26.
    Ettredge, M., Richardson, V.J.: Assessing the risk in e-commerce. In: Sprague, R.H. (ed.) Proc. of the 35th Hawaii International Conference on System Sciences, Los Alamitos, CA. IEEE Press, Los Alamitos (2002)Google Scholar
  27. 27.
    Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11, 431–448 (2003)CrossRefGoogle Scholar
  28. 28.
    Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9, 69–104 (2004)Google Scholar
  29. 29.
    Telang, R., Wattal, S.: Impact of software vulnerability announcements on the market value of software vendors – An empirical investigation. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/telang_wattal.pdf Google Scholar
  30. 30.
    Kahneman, D., Tversky, A.: Choices, Values, and Frames. Cambridge University Press, Cambridge (2000)MATHGoogle Scholar
  31. 31.
    Geer, D., et al.: CyberInsecurity – The cost of monopoly (2003), http://www.ccianet.org/papers/cyberinsecurity.pdf
  32. 32.
    Chen, P.Y., Kataria, G., Krishnan, R.: Software diversity for information security. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/47.pdf Google Scholar
  33. 33.
    Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/10.pdf Google Scholar

Copyright information

© Springer-Verlag Berlin Heidelberg 2006

Authors and Affiliations

  • Rainer Böhme
    • 1
  1. 1.Institute for System ArchitectureTechnische Universität DresdenDresdenGermany

Personalised recommendations