IDEAS home Printed from https://ideas.repec.org/a/bla/popmgt/v29y2020i11p2532-2552.html
   My bibliography  Save this article

Determinants of Software Vulnerability Disclosure Timing

Author

Listed:
  • Ravi Sen
  • Joobin Choobineh
  • Subodha Kumar

Abstract

The timing of vulnerability disclosures (by vulnerability discoverers) has significant implications for software producers and users. Immediate disclosure (before a patch becomes available) could result in exploits with subsequent harm to installed systems. Therefore, it is important to understand the determinants of this timing. In this study, we investigate the impacts of (i) the perception of the vulnerability discoverer about the software producer, (ii) the type of vulnerable software, and (iii) the severity of the vulnerability, on a vulnerability discoverer's choice of disclosure timing. We collect data from three different sources and control for the vulnerability discoverer's motivations and beliefs. Our results indicate that those who perceive a software producer to be timely in its patch release, reward it by delaying the disclosure. We also find that it is more likely that the disclosure is delayed for open source software and it is less likely that the disclosure is delayed for more severe vulnerabilities. The findings of this study are relevant to software producers in their decision‐making process on resource allocation for software patches and should also help policy‐makers to devise regulations relevant to the timing of disclosures and patch releases. Furthermore, these findings could be relevant to software consumers searching for a particular software product that they would like to use. This study attempts to provide insights into an ongoing discussion in the operations management community regarding how to allocate and divide resources between software development and software maintenance.

Suggested Citation

  • Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    • Handle: RePEc:bla:popmgt:v:29:y:2020:i:11:p:2532-2552
    DOI: 10.1111/poms.13120
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/poms.13120
    Download Restriction: no
    File URL: https://libkey.io/10.1111/poms.13120?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Ashish Arora & Jonathan P. Caulkins & Rahul Telang, 2006. "Research Note--Sell First, Fix Later: Impact of Patching on Software Quality," Management Science, INFORMS, vol. 52(3), pages 465-471, March.
    2. Fisher, Robert J & Ackerman, David, 1998. "The Effects of Recognition and Group Need on Volunteerism: A Social Norm Perspective," Journal of Consumer Research, Journal of Consumer Research Inc., vol. 25(3), pages 262-275, December.
    3. Ryu, C. & Sharman, R. & Rao, H.R. & Upadhyaya, S., 2010. "Security protection design for deception and real system regimes: A model and analysis," European Journal of Operational Research, Elsevier, vol. 201(2), pages 545-556, March.
    4. Yonghua Ji & Vijay S. Mookerjee & Suresh P. Sethi, 2005. "Optimal Software Development: A Control Theoretic Approach," Information Systems Research, INFORMS, vol. 16(3), pages 292-306, September.
    5. Hao Xia & Milind Dawande & Vijay Mookerjee, 2016. "Optimal Coordination in Distributed Software Development," Production and Operations Management, Production and Operations Management Society, vol. 25(1), pages 56-76, January.
    6. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    7. Krishnamurthy, Sandeep & Tripathi, Arvind K., 2009. "Monetary donations to an open source software platform," Research Policy, Elsevier, vol. 38(2), pages 404-414, March.
    8. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    9. Martin Dierker & Avanidhar Subrahmanyam, 2017. "Dynamic Information Disclosure," Contemporary Accounting Research, John Wiley & Sons, vol. 34(1), pages 601-621, March.
    10. Dardanoni, Valentino & Li Donni, Paolo, 2012. "Incentive and selection effects of Medigap insurance on inpatient care," Journal of Health Economics, Elsevier, vol. 31(3), pages 457-470.
    11. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2017. "Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions," Production and Operations Management, Production and Operations Management Society, vol. 26(5), pages 860-879, May.
    12. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    13. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    14. Milind Dawande & Subodha Kumar & Vijay Mookerjee & Chelliah Sriskandarajah, 2008. "Maximum Commonality Problems: Applications and Analysis," Management Science, INFORMS, vol. 54(1), pages 194-207, January.
    15. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    16. Pu Li & H. Raghav Rao, 2007. "An examination of private intermediaries’ roles in software vulnerabilities disclosure," Information Systems Frontiers, Springer, vol. 9(5), pages 531-539, November.
    17. Jeffrey A. Roberts & Il-Horn Hann & Sandra A. Slaughter, 2006. "Understanding the Motivations, Participation, and Performance of Open Source Software Developers: A Longitudinal Study of the Apache Projects," Management Science, INFORMS, vol. 52(7), pages 984-999, July.
    18. Lindenberg, Siegwart, 2001. "Intrinsic Motivation in a New Light," Kyklos, Wiley Blackwell, vol. 54(2-3), pages 317-342.
    19. Krishnamurthy, Sandeep & Ou, Shaosong & Tripathi, Arvind K., 2014. "Acceptance of monetary rewards in open source software development," Research Policy, Elsevier, vol. 43(4), pages 632-644.
    20. Siegwart Lindenberg, 2001. "Intrinsic Motivation in a New Light," Kyklos, Wiley Blackwell, vol. 54(2‐3), pages 317-342, May.
    21. Richard Williams, 2006. "Generalized ordered logit/partial proportional odds models for ordinal dependent variables," Stata Journal, StataCorp LP, vol. 6(1), pages 58-82, March.
    22. Milind Dawande & Monica Johar & Subodha Kumar & Vijay S. Mookerjee, 2008. "A Comparison of Pair Versus Solo Programming Under Different Objectives: An Analytical Approach," Information Systems Research, INFORMS, vol. 19(1), pages 71-92, March.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Rahul Menon & Lin Nan, 2023. "Sooner or later? A study of report timing," Production and Operations Management, Production and Operations Management Society, vol. 32(3), pages 762-779, March.
    2. Zach Zhizhong Zhou & Vidyanand Choudhary, 2022. "Impact of Competition from Open Source Software on Proprietary Software," Production and Operations Management, Production and Operations Management Society, vol. 31(2), pages 731-742, February.
    3. Subodha Kumar & Rakesh R. Mallipeddi, 2022. "Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions," Production and Operations Management, Production and Operations Management Society, vol. 31(12), pages 4488-4500, December.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    2. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    3. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    4. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    5. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    6. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    7. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    8. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    9. Belenzon, Sharon & Schankerman, Mark, 2008. "Motivation and sorting in open source software innovation," LSE Research Online Documents on Economics 51594, London School of Economics and Political Science, LSE Library.
    10. Jiang Jiang & Rui Feng & Eldon Y. Li, 2021. "Uncovering the Providers’ Continuance Intention of Participation in the Sharing Economy: A Moderated Mediation Model," Sustainability, MDPI, vol. 13(9), pages 1-22, May.
    11. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    12. Johan Graafland, 2020. "Competition in technology and innovation, motivation crowding, and environmental policy," Corporate Social Responsibility and Environmental Management, John Wiley & Sons, vol. 27(1), pages 137-145, January.
    13. Gauguier, Jean-Jacques, 2009. "L’industrialisation de l’Open Source," Economics Thesis from University Paris Dauphine, Paris Dauphine University, number 123456789/4388 edited by Toledano, Joëlle.
    14. Puiu Andreea-Ionela, 2020. "Motivations of Young Consumers to Participate to Collaborative Consumption," Journal of Social and Economic Statistics, Sciendo, vol. 9(2), pages 43-55, December.
    15. Mamta Sharma & Gagandeep Kaur, 2015. "Effect Of Music Therapy On Intrinsic Motivation, Physical Self Efficacy And Performance Of Female Football Players," Working papers 2015-03-02, Voice of Research.
    16. Magnus Bergquist & Andreas Nilsson & Emma Ejelöv, 2019. "Contest-Based and Norm-Based Interventions: (How) Do They Differ in Attitudes, Norms, and Behaviors?," Sustainability, MDPI, vol. 11(2), pages 1-17, January.
    17. Andreu, Rafael & Riverola, Josep & Rosanas, Josep M. & de Santiago, Rafael, 2012. "Capability building and learning: An emergent behavior approach," IESE Research Papers D/952, IESE Business School.
    18. Bitzer, Jurgen & Schrettl, Wolfram & Schroder, Philipp J.H., 2007. "Intrinsic motivation in open source software development," Journal of Comparative Economics, Elsevier, vol. 35(1), pages 160-169, March.
    19. Osterloh, Margit & Rota, Sandra, 2007. "Open source software development--Just another case of collective invention?," Research Policy, Elsevier, vol. 36(2), pages 157-171, March.
    20. Johannes Huinink & Martin Kohli, 2014. "A life-course approach to fertility," Demographic Research, Max Planck Institute for Demographic Research, Rostock, Germany, vol. 30(45), pages 1293-1326.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bla:popmgt:v:29:y:2020:i:11:p:2532-2552. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: http://onlinelibrary.wiley.com/journal/10.1111/(ISSN)1937-5956 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.