Issue No.01 - January-February (2005 vol.3)
Ashish Arora , Carnegie Mellon University
Rahul Telang , Carnegie Mellon University
DOI Bookmark: http://doi.ieeecomputersociety.org/10.1109/MSP.2005.12
Information security breaches frequently exploit software flaws or vulnerabilities, causing significant economic losses. Considerable debate and disagreement exist about how to disclose vulnerabilities to the public. A theoretical framework helps identify the key data elements needed to develop a sensible way of handling vulnerability disclosure. The authors analyzed two data sets?vendor response to disclosure and attack data from honeypots?which are useful for understanding how attackers respond to disclosure.
software vulnerability, disclosure policy, economic analysis, patching
Ashish Arora, Rahul Telang, "Economics of Software Vulnerability Disclosure", IEEE Security & Privacy, vol.3, no. 1, pp. 20-25, January-February 2005, doi:10.1109/MSP.2005.12