IDEAS home Printed from https://ideas.repec.org/a/spr/infosf/v9y2007i5d10.1007_s10796-007-9047-2.html
   My bibliography  Save this article

An examination of private intermediaries’ roles in software vulnerabilities disclosure

Author

Listed:
  • Pu Li

    (State University of New York)

  • H. Raghav Rao

    (State University of New York)

Abstract

Software vulnerability disclosure has generated much interest and debate. Recently some private intermediaries have entered this market. This paper examines the effects of such private intermediaries on optimal timing of disclosure policy made by public intermediaries and vendors’ reactions. Our analysis of private intermediaries’ role suggests that public intermediary’s optimal disclosure time does not change with private intermediary’s participation. However, a vendor’s patch time increases when the probability of information leakage is low, if not non-existent. In other words, private intermediaries’ service decreases a vendor’s willingness to deliver quick patches. Empirical evidence with 1493 vulnerability observations from CERT/CC and other 326 different vulnerability observations from iDefense provided support for our analytical results.

Suggested Citation

  • Pu Li & H. Raghav Rao, 2007. "An examination of private intermediaries’ roles in software vulnerabilities disclosure," Information Systems Frontiers, Springer, vol. 9(5), pages 531-539, November.
    • Handle: RePEc:spr:infosf:v:9:y:2007:i:5:d:10.1007_s10796-007-9047-2
    DOI: 10.1007/s10796-007-9047-2
    as

    Download full text from publisher

    File URL: http://link.springer.com/10.1007/s10796-007-9047-2
    File Function: Abstract
    Download Restriction: Access to the full text of the articles in this series is restricted.
    File URL: https://libkey.io/10.1007/s10796-007-9047-2?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    As the access to this document is restricted, you may want to search for a different version of it.

    References listed on IDEAS

    as
    1. Fershtman, Chaim & Gandal, Neil & Choi, Jay Pil, 2005. "Internet Security, Vulnerability Disclosure and Software Provision," CEPR Discussion Papers 5269, C.E.P.R. Discussion Papers.
    2. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    2. Saini Das & Arunabha Mukhopadhyay & Debashis Saha & Samir Sadhukhan, 2019. "A Markov-Based Model for Information Security Risk Assessment in Healthcare MANETs," Information Systems Frontiers, Springer, vol. 21(5), pages 959-977, October.
    3. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    4. Chulhwan Chris Bang, 2015. "Information systems frontiers: Keyword analysis and classification," Information Systems Frontiers, Springer, vol. 17(1), pages 217-237, February.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    2. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    3. Nizovtsev, Dmitri & Thursby, Marie, 2007. "To disclose or not? An analysis of software user behavior," Information Economics and Policy, Elsevier, vol. 19(1), pages 43-64, March.
    4. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    5. Harish Guda & Milind Dawande & Ganesh Janakiraman, 2021. "“Seemingly‐Beneficial” Interventions," Production and Operations Management, Production and Operations Management Society, vol. 30(10), pages 3337-3353, October.
    6. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    7. Macnish, Kevin & van der Ham, Jeroen, 2020. "Ethics in cybersecurity research and practice," Technology in Society, Elsevier, vol. 63(C).
    8. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    9. Jingguo Wang & Aby Chaudhury & H. Raghav Rao, 2008. "Research Note ---A Value-at-Risk Approach to Information Security Investment," Information Systems Research, INFORMS, vol. 19(1), pages 106-120, March.
    10. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    11. Terrence August & Tunay I. Tunca, 2006. "Network Software Security and User Incentives," Management Science, INFORMS, vol. 52(11), pages 1703-1720, November.
    12. Saini Das & Arunabha Mukhopadhyay & Debashis Saha & Samir Sadhukhan, 2019. "A Markov-Based Model for Information Security Risk Assessment in Healthcare MANETs," Information Systems Frontiers, Springer, vol. 21(5), pages 959-977, October.
    13. Xing Gao & Weijun Zhong, 2016. "A differential game approach to security investment and information sharing in a competitive environment," IISE Transactions, Taylor & Francis Journals, vol. 48(6), pages 511-526, June.
    14. Fang Fang & Manoj Parameswaran & Xia Zhao & Andrew B. Whinston, 2014. "An economic mechanism to manage operational security risks for inter-organizational information systems," Information Systems Frontiers, Springer, vol. 16(3), pages 399-416, July.
    15. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    16. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    17. Nikhil Malik & Manmohan Aseri & Param Vir Singh & Kannan Srinivasan, 2022. "Why Bitcoin Will Fail to Scale?," Management Science, INFORMS, vol. 68(10), pages 7323-7349, October.
    18. Terrence August & Marius Florin Niculescu & Hyoduk Shin, 2014. "Cloud Implications on Software Network Structure and Security Risks," Information Systems Research, INFORMS, vol. 25(3), pages 489-510, September.
    19. Stoel, M. Dale & Muhanna, Waleed A., 2011. "IT internal control weaknesses and firm performance: An organizational liability lens," International Journal of Accounting Information Systems, Elsevier, vol. 12(4), pages 280-304.
    20. Fabio BISOGNI & Simona CAVALLINI & Sara DI TROCCHIO, 2011. "Cybersecurity at European Level: The Role of Information Availability," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(81), pages 105-124, 1st quart.

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:spr:infosf:v:9:y:2007:i:5:d:10.1007_s10796-007-9047-2. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Sonal Shukla or Springer Nature Abstracting and Indexing (email available below). General contact details of provider: http://www.springer.com .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.