Optimal Policy for Software Vulnerability Disclosure

References

• Arbaugh W. A., Fithen W. L., McHugh J. Windows of vulnerability: A case study analysis. Computer (2000) 33(12):52–59Crossref, Google Scholar
• Arora A., Caulkins J. P., Telang R. Research note-sell first, fix later: Impact of patching on software quality. Management Sci. (2005) 52(3):465–471Link, Google Scholar
• Arora A., Nandkumar A., Telang R. Does information security attack frequency increase with vulnerability disclosure?—An empirical analysis. Inform. Systems Frontier (2006a) 8:350–362Crossref, Google Scholar
• Arora A., Forman C., Nandkumar A., Telang R. Competitive and strategic effects in the timing of patch release. Fifth Workshop Econom. Inform. Security (WEIS 2006) (2006b) Cambridge, UKGoogle Scholar
• Arora A., Krishnan R., Telang R., Yang Y. How quickly do they patch? An empirical analysis of vendor response to disclosure policies. Internat. Conf. Inform. Systems (ICIS 2006) (2006c) MilwaukeeGoogle Scholar
• August T., Tunca T. Network software security and user incentives. Management Sci. (2005) 52(11):1703–1720Link, Google Scholar
• Beattie S., Arnold S., Cowan C., Wagle P., Wright C. Timing the application of security patches for optimal uptime. Proc. LISA: Sixteenth Systems Admin. Conf. (2002) (USENIX Association, Berkeley, CA) 233–242Google Scholar
• Browne H. K., Arbaugh W. A., McHugh J., Fithen W. L. A trend analysis of exploitations. IEEE Sympos. Security Privacy (2001) (IEEE Computer Society, Washington, D.C.) 214–229Crossref, Google Scholar
• Cavusoglu H., Cavusoglu H., Raghunathan S. How should we disclose software vulnerabilities? Proc. 14th Workshop Inform. Tech systems (WITS'04) (2004) Washington, D.C.Google Scholar
• Cavusoglu H., Cavusoglu H., Zhang J. Security patch management: Share the burden or share the damage? (2005) . Working paper, Tulane University, New OrleansGoogle Scholar
• Choi J., Fershtman C., Gandal N. Internet security, vulnerability disclosure and software provision. Fourth Workshop Econom. Inform. Security (WEIS 2005) (2005) BostonGoogle Scholar
• Clake R. Black hat briefings USA. (2002) . Accessed July 19, 2006, http://www.blackhat.com/html/bh-usa-02/bh-usa-02-speakers.html#RichardClarkeGoogle Scholar
• CSI-FBI CSI/FBI computer crime and security survey. (2005) (Computer Security Institute)Google Scholar
• Gordon L. A., Loeb M. P. The economics of information security investment. ACM Trans. Inform. System Security (2002) 5(4):438–457Crossref, Google Scholar
• InfoWorld.com Vulnerability enables passport account hijackings. (2003) . http://www.infoworld.com/article/03/06/30/HNpass_1.htmlGoogle Scholar
• Kannan K., Telang R. Market for software vulnerabilities? Think again. Management Sci. (2005) 51(5):726–740Link, Google Scholar
• National Strategy to Secure Cyberspace (2003) . Accessed August 24, 2005, http://www.whitehouse.gov/pcipbGoogle Scholar
• Nizovtsev D., Thursby M. To disclose or not? An analysis of software user behavior. Inform. Econom. Policy (2007) 19(1):43–64Crossref, Google Scholar
• Png I., Tang C. Q., Wang S. Y. Information security: User precautions and hacker targeting. Fifth Workshop Econom. Inform. Security (WEIS 2006) (2006) Cambridge, UKGoogle Scholar
• Preston E., Lofton J. Computer security publications: Information economics, shifting liability and the first amendment. Whittier Law Rev. (2002) 24:71–142Google Scholar
• Rescorla E. Security holes…who cares? Proc.12th USENIX Security Conf. (2003) Washington, D.C.:75–90Google Scholar
• Symantec Symantec Internet Security Threat Report. (2003) . http://www.symantec.comGoogle Scholar