{"title":"To Disclose or Not? An Analysis of Software User Behavior","authors":"D. Nizovtsev, Marie C. Thursby","doi":"10.2139/ssrn.899863","DOIUrl":null,"url":null,"abstract":"This paper addresses the ongoing debate over disclosing information about software vulnerabilities through an open public forum. Using a game-theoretic approach, we show that full public disclosure may be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full public disclosure of vulnerabilities is desirable from a social welfare standpoint. We analyze the effect of several vendor and product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare. We also examine models in which users may spend effort to develop a fix or threaten vendors to disclose after a grace period. We show that to the extent that users are able to develop fixes for discovered vulnerabilities without inordinate effort, welfare is further improved. This is more likely the more familiar users are with the details of software providing an argument for \"open source\" software.","PeriodicalId":448360,"journal":{"name":"Kauffman: Small Research Projects (Topic)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"2006-04-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"27","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Kauffman: Small Research Projects (Topic)","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.2139/ssrn.899863","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}
引用次数: 27
Abstract
This paper addresses the ongoing debate over disclosing information about software vulnerabilities through an open public forum. Using a game-theoretic approach, we show that full public disclosure may be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full public disclosure of vulnerabilities is desirable from a social welfare standpoint. We analyze the effect of several vendor and product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare. We also examine models in which users may spend effort to develop a fix or threaten vendors to disclose after a grace period. We show that to the extent that users are able to develop fixes for discovered vulnerabilities without inordinate effort, welfare is further improved. This is more likely the more familiar users are with the details of software providing an argument for "open source" software.