Abstract:
Software vendors have a disincentive for vulnerability announcements because they lose market value and stock price after disclosing vulnerabilities. Therefore, quality information security is extremely important. Hackers do not discover vulnerabilities themselves for the most part: they exploit them after hearing announcements. It is theorized that if a company discovers a vulnerability in its software, the company does better if it reports the vulnerability itself; however, this is not true. Because the impact of a third-party announcement does not lead to worse consequences than disclosing information themselves, companies do not have an incentive to disclose vulnerability information. Thus, companies are better off integrating a fix to the vulnerability through a new service pack or a new version of the software and not disclosing the vulnerability.
Author:
Rahul Telang, Sunil Wattal.
Institution:
Heinz College: Carnegie Mellon University
Industry Focus:
Information & Telecommunication
Internet & Cyberspace