|
|||||
|
|
NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY* |
|
| Authors: | JAY PIL CHOI CHAIM FERSHTMAN NEIL GANDAL |
| Affiliation: | 1. School of Economics, University of New South Wales, UNSW Sydney, NSW 2052 Australia, and Department of Economics, Michigan State University, East Lansing, Michigan, U.S.A. e‐mail:choijay@msu.edu;2. Eitan Berglas School of Economics, Tel Aviv University, Tel Aviv 69978, Israel, Erasmus University, and CEPR. e‐mail:fersht@post.tau.ac.il;3. Harold Hartog School of Government and Policy, Tel Aviv University, Tel Aviv 69978, Israel, and CEPR. e‐mail:gandal@post.tau.ac.il |
| Abstract: | Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a ‘bug bounty’ program. |
| Keywords: | L100 L630 Internet security software vulnerabilities disclosure policy |