The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Karthik Kannan - Krannert School of Management, Purdue University

Students: Fall 2024, unless noted otherwise, sessions will be virtual on Zoom.

Economic Analysis of the Market for software vulnerability disclosure

Oct 01, 2003

Abstract

Software vulnerability disclosure has been a critical area of concern
for policy makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers who report vulnerability information and users of the software.
After verifying a reported vulnerability, and obtaining the remediation
in the form of a patch from the software vendor, the infomediary - CERT - sends out a public "advisory" to inform software users about it. In this traditional mechanism, reporting
vulnerabilities is voluntary with no explicit monetary gains to benign identifiers. Of late, firms such as iDefense have been proposing a different market-based mechanism. In this market-based mechanism, the infomediary rewards identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its clients who are users of this software. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for vulnerability disclosure leads to a better social outcome. Generally, an active "market-based mechanism" is expected to perform better than a passive "CERT" type mechanism.
Surprisingly, we find that a monopolist has an incentive to "misuse" the
vulnerability information such that it almost always reduces the social welfare. Even
when the "misuse" of information is prevented, we observe that under certain conditions,
the market-based infomediary generates higher industry loss than a CERT-type one and vice-versa. We extend our paper to analyze some other mechanisms as well and observe that a Federally-Funded Social Planner always performs at least as well as other mechanisms.

About the Speaker

Karthik Kannan is an Assistant Professor of Information Systems at the Krannert School of Management, Purdue University. His research interests span the areas of information security electronic markets, and peer-to-peer computing. His research on \"On Analyzing interactions in a software-agent based marketplace\" won the best paper award in WITS 2000. He is a member of ACM and INFORMS.


Ways to Watch

YouTube

Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!