IDEAS home Printed from
   My bibliography  Save this paper

Network Security: Vulnerabilities and Disclosure Policy


  • Choi, Jay-Pil
  • Fershtman, Chaim
  • Gandal, Neil


Software security is a major concern for vendors, consumers, and regulators since attackers that exploit vulnerabilities can cause substantial damages. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only the consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper develops a setting that examines the economic incentives facing software vendors and users when software is subject to vulnerabilities. We consider a firm that sells software which is subject to potential security breaches. The firm needs to set the price of the software and state whether it intends to disclose vulnerabilities and issue updates. Consumers differ in their value of the software and the potential damage that hackers may inflict and need to decide whether to purchase the software as well as whether to install updates. Prices, market shares, and profits depend on the disclosure policy of the firm. The paper analyzes the market outcome and derives the conditions under which a firm would disclose vulnerabilities. It then examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities. The paper discusses the incentives to invest in product security by investigating how a decline in the number of vulnerabilities and an increase in the probability that the firm will identify vulnerabilities ex-post (before hackers) affect disclosure policy, price and profits.

Suggested Citation

  • Choi, Jay-Pil & Fershtman, Chaim & Gandal, Neil, 2007. "Network Security: Vulnerabilities and Disclosure Policy," CEPR Discussion Papers 6134, C.E.P.R. Discussion Papers.
  • Handle: RePEc:cpr:ceprdp:6134

    Download full text from publisher

    File URL:
    Download Restriction: CEPR Discussion Papers are free to download for our researchers, subscribers and members. If you fall into one of these categories but have trouble downloading our papers, please contact us at

    As the access to this document is restricted, you may want to look for a different version below or search for a different version of it.

    Other versions of this item:


    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.

    Cited by:

    1. repec:wsi:igtrxx:v:19:y:2017:i:02:n:s0219198917500104 is not listed on IDEAS
    2. Terrence August & Tunay I. Tunca, 2011. "Who Should Be Responsible for Software Security? A Comparative Analysis of Liability Policies in Network Environments," Management Science, INFORMS, vol. 57(5), pages 934-959, May.
    3. Taylor J. Canann, 2013. "Software Vulnerability Analysis in Cyber Security: A Network Structure Approach," BYU Macroeconomics and Computational Laboratory Working Paper Series 2013-05, Brigham Young University, Department of Economics, BYU Macroeconomics and Computational Laboratory, revised Apr 2014.
    4. Fershtman, Chaim & Gandal, Neil, 2012. "Migration to the Cloud Ecosystem: Ushering in a New Generation of Platform Competition," CEPR Discussion Papers 8907, C.E.P.R. Discussion Papers.
    5. Chaim FERSHTMAN & Neil GANDAL, 2012. "Migration to the Cloud Ecosystem: Ushering in a New Generation of Platform Competition," Communications & Strategies, IDATE, Com&Strat dept., vol. 1(85), pages 109-123, 1st quart.
    6. Lam, Wing Man Wynne, 2014. "Ex Ante and Ex Post Investments in Cybersecurity," TSE Working Papers 14-519, Toulouse School of Economics (TSE).
    7. Lam, Wing Man Wynne, 2016. "Attack-prevention and damage-control investments in cybersecurity," Information Economics and Policy, Elsevier, vol. 37(C), pages 42-51.
    8. repec:gam:jgames:v:8:y:2017:i:2:p:23-:d:99623 is not listed on IDEAS
    9. repec:ebl:ecbull:eb-17-01024 is not listed on IDEAS

    More about this item


    disclosure policy; Internet security; software vulnerabilities;

    JEL classification:

    • L10 - Industrial Organization - - Market Structure, Firm Strategy, and Market Performance - - - General
    • L63 - Industrial Organization - - Industry Studies: Manufacturing - - - Microelectronics; Computers; Communications Equipment

    NEP fields

    This paper has been announced in the following NEP Reports:


    Access and download statistics


    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:cpr:ceprdp:6134. See general information about how to correct material in RePEc.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: (). General contact details of provider: .

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    We have no references for this item. You can help adding them by using this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service hosted by the Research Division of the Federal Reserve Bank of St. Louis . RePEc uses bibliographic data supplied by the respective publishers.