Skip to main content
SpringerLink
Log in

A Comparison of Market Approaches to Software Vulnerability Disclosure

  • Conference paper
Emerging Trends in Information and Communication Security (ETRICS 2006)

Part of the book series: Lecture Notes in Computer Science ((LNSC,volume 3995))

Abstract

Practical computer (in)security is largely driven by the existence of and knowledge about vulnerabilities, which can be exploited to breach security mechanisms. Although the discussion on details of responsible vulnerability disclosure is controversial, there is a sort of consensus that better information sharing is socially beneficial. In the recent years we observe the emerging of “vulnerability markets” as means to stimulate exchange of information. However, this term subsumes a broad range of different concepts, which are prone to confusion. This paper provides a first attempt to structure the field by (1) proposing a terminology for distinct concepts and (2) defining criteria to allow for a better comparability between different approaches. An application of this framework on four market types shows notable differences between the approaches.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Preview

Unable to display preview. Download preview PDF.

Unable to display preview. Download preview PDF.

References

  1. Arora, A., Telang, R., Xu, H.: Optimal policy for software vulnerability disclosure. In: Workshop on the Economics of Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/xu.pdf

  2. Arora, A., Krishnan, R., Telang, R., Yang, Y.: An empirical analysis of vendor response to software vulnerability disclosure. In: Workshop on Information Systems and Economics (WISE), University of California, Irvine, CA (2005)

    Google Scholar 

  3. Nizovtsev, D., Thursby, M.: Economic incentives to disclose software vulnerabilities. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge, MA (2005), http://infosecon.net/workshop/pdf/20.pdf

  4. Rescorla, E.: Is finding security holes a good idea? In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/rescorla.pdf

  5. Anderson, R.J.: Why information security is hard – An economic perspective (2001), http://www.cl.cam.ac.uk/~rja14/econsec.html

  6. Akerlof, G.A.: The market for ‘lemons’: Quality, uncertainty and the market mechanism. Quarterly Journal of Economics 84, 488–500 (1970)

    Article  Google Scholar 

  7. Shapiro, C., Varian, H.R.: Information Rules. A Strategic Guide to the Network Economy. Harvard Business School Press, Boston (1998)

    Google Scholar 

  8. Hardin, G.: The tragedy of the commons. Science 162, 1243–1248 (1968)

    Article  Google Scholar 

  9. Freiling, F.C., Holz, T., Wicherski, G.: Botnet Tracking: Exploring a Root-Cause Methodology to Prevent Distributed Denial-of-Service Attacks. In: de Capitani di Vimercati, S., Syverson, P.F., Gollmann, D., et al. (eds.) ESORICS 2005. LNCS, vol. 3679, pp. 319–335. Springer, Heidelberg (2005)

    Chapter  Google Scholar 

  10. Varian, H.R.: System reliability and free riding. In: Workshop on Economics and Information Security (WEIS), Berkeley, CA (2002), http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/

  11. Varian, H.R.: Managing online security risks. New York Times (2000), http://www.nytimes.com/library/financial/columns/060100econ-scene.html

  12. Ryan, D.J., Heckmann, C.: Two views on security software liability. IEEE Security & Privacy 1, 70–75 (2003)

    Article  Google Scholar 

  13. Schechter, S.E.: Computer Security Strength & Risk: A Quantitative Approach. PhD thesis, Harvard University, Cambridge, MA (2004)

    Google Scholar 

  14. Camp, J.L., Wolfram, C.: Pricing security. In: Proc. of the CERT Information Survivability Workshop, Boston, MA, pp. 31–39 (2000), http://www.cert.org/research/isw/isw2000/papers/54.pdf

  15. Downs, A.: An Economic Theory of Democracy. Harper and Brothers, New York (1957)

    Google Scholar 

  16. Stigler, G.J.: The Citizen and the State: Essays on Regulation. University Press, Chicago (1975)

    Google Scholar 

  17. Ozment, A.: Bug auctions: Vulnerability markets reconsidered. In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/ozment.pdf

  18. Böhme, R.: Vulnerability markets – What is the economic value of a zero-day exploit? In: Proc. of 22C3: Private Investigations, Berlin, Germany (2005), https://events.ccc.de/congress/2005/fahrplan/attachments/542-Boehme2005_22C3_VulnerabilityMarkets.pdf

  19. Kannan, K., Telang, R.: An economic analysis of markets for software vulnerabilities. In: Workshop of Economics and Information Security (WEIS), University of Minnesota, Minneapolis, MN (2004), http://www.dtc.umn.edu/weis2004/kannan-telang.pdf

  20. Matsuura, K.: Security tokens and their derivatives. Technical report, Centre for Communications Systems Research (CCSR), University of Cambridge, UK (2001)

    Google Scholar 

  21. Gordon, L.A., Loeb, M.P., Sohail, T.: A framework for using insurance for cyber-risk management. Communications of the ACM 46, 81–85 (2003)

    Article  Google Scholar 

  22. Kesan, J.P., Majuca, R.P., Yurcik, W.J.: The economic case for cyberinsurance. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/42.pdf

    Google Scholar 

  23. Schneier, B.: Hacking the business climate for network security. IEEE Computer, 87–89 (2004)

    Google Scholar 

  24. Yurcik, W., Doss, D.: Cyberinsurance: A market solution to the internet security market failure. In: Workshop on Economics and Information Security (WEIS). Berkeley, CA (2002), http://www.sims.berkeley.edu/resources/affiliates/workshops/econsecurity/

  25. Böhme, R.: Cyberinsurance revisited. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/15.pdf

    Google Scholar 

  26. Ettredge, M., Richardson, V.J.: Assessing the risk in e-commerce. In: Sprague, R.H. (ed.) Proc. of the 35th Hawaii International Conference on System Sciences, Los Alamitos, CA. IEEE Press, Los Alamitos (2002)

    Google Scholar 

  27. Campbell, K., Gordon, L.A., Loeb, M.P., Zhou, L.: The economic cost of publicly announced information security breaches: Empirical evidence from the stock market. Journal of Computer Security 11, 431–448 (2003)

    Article  Google Scholar 

  28. Cavusoglu, H., Mishra, B., Raghunathan, S.: The effect of internet security breach announcements on market value: Capital market reactions for breached firms and internet security developers. International Journal of Electronic Commerce 9, 69–104 (2004)

    Google Scholar 

  29. Telang, R., Wattal, S.: Impact of software vulnerability announcements on the market value of software vendors – An empirical investigation. In: Workshop on the Economics of Information Security (WEIS). Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/telang_wattal.pdf

    Google Scholar 

  30. Kahneman, D., Tversky, A.: Choices, Values, and Frames. Cambridge University Press, Cambridge (2000)

    MATH  Google Scholar 

  31. Geer, D., et al.: CyberInsecurity – The cost of monopoly (2003), http://www.ccianet.org/papers/cyberinsecurity.pdf

  32. Chen, P.Y., Kataria, G., Krishnan, R.: Software diversity for information security. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/47.pdf

    Google Scholar 

  33. Ozment, A.: The likelihood of vulnerability rediscovery and the social utility of vulnerability hunting. In: Workshop on the Economics of Information Security (WEIS), Harvard University, Cambridge (2005), http://infosecon.net/workshop/pdf/10.pdf

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. Institute for System Architecture, Technische Universität Dresden, 01062, Dresden, Germany

    Rainer Böhme

Authors
  1. Rainer Böhme
    View author publications

    You can also search for this author in PubMed Google Scholar

Editor information

Editors and Affiliations

  1. Institut für Informatik und Gesellschaft, Abt. Telematik, Albert-Ludwigs-Universität Freiburg, Friedrichstr. 50, 79098, Freiburg, Germany

    Günter Müller

Rights and permissions

Reprints and permissions

Copyright information

© 2006 Springer-Verlag Berlin Heidelberg

About this paper

Cite this paper

Böhme, R. (2006). A Comparison of Market Approaches to Software Vulnerability Disclosure. In: Müller, G. (eds) Emerging Trends in Information and Communication Security. ETRICS 2006. Lecture Notes in Computer Science, vol 3995. Springer, Berlin, Heidelberg. https://doi.org/10.1007/11766155_21

Download citation

  • DOI: https://doi.org/10.1007/11766155_21

  • Publisher Name: Springer, Berlin, Heidelberg

  • Print ISBN: 978-3-540-34640-1

  • Online ISBN: 978-3-540-34642-5

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation