Skip to Main content Skip to Navigation
Conference papers

Software vulnerability disclosure and security investment

Abstract : Around the debate on software vulnerability disclosure, existing works have mostly explored how disclosure gives an incentive to software vendors to better secure their software. The role of third parties such as business users, security firms or downstream software vendors is rarely taken account, while in fact these actors are increasingly involved in improving the security of a software. In this paper, we argue that vulnerability disclosure may act as a signal that revises the perceived security quality of the affected software and we examine how it affects the level of security effort exerted by different actors. Using data from 2009 to 2018 on a public vulnerability database, we show that after the disclosure of a critical vulnerability, the vulnerability research activity on the software that is subject to the disclosure significantly increases compared to the control group of unaffected software. In particular, vulnerability disclosure has a greater impact on actors who perceive the disclosure as an opportunity to find new security flaw and to financially benefit from it (such as the security firms and individual researchers) than on those who suffer the security risks (such as users and downstream vendors).
Complete list of metadata
Contributor : Arrah-Marie Jo Connect in order to contact the contributor
Submitted on : Tuesday, January 5, 2021 - 10:47:30 PM
Last modification on : Thursday, November 18, 2021 - 3:04:04 AM


  • HAL Id : hal-03098944, version 1


Arrah-Marie Jo. Software vulnerability disclosure and security investment. WEIS 2019 : 18th Annual Workshop on the Economics of Information Security, Boston College; Harvard University, Jun 2019, Boston, United States. ⟨hal-03098944⟩



Record views