Premium
NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY *
Author(s) -
CHOI JAY PIL,
FERSHTMAN CHAIM,
GANDAL NEIL
Publication year - 2010
Publication title -
the journal of industrial economics
Language(s) - English
Resource type - Journals
SCImago Journal Rank - 0.93
H-Index - 77
eISSN - 1467-6451
pISSN - 0022-1821
DOI - 10.1111/j.1467-6451.2010.00435.x
Subject(s) - hacker , secure coding , computer security , business , vulnerability (computing) , dilemma , full disclosure , internet privacy , security bug , software , vulnerability management , security policy , vulnerability assessment , computer science , information security , software security assurance , security service , psychology , philosophy , epistemology , psychological resilience , psychotherapist , programming language
Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a ‘bug bounty’ program.