An empirical analysis of software vendors' patch release behavior: Impact of vulnerability disclosure

Journal Article (Journal Article)

Akey aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making. © 2010 INFORMS.

Full Text

Duke Authors

Cited Authors

  • Arora, A; Krishnan, R; Telang, R; Yang, Y

Published Date

  • January 1, 2010

Published In

Volume / Issue

  • 21 / 1

Start / End Page

  • 115 - 132

Electronic International Standard Serial Number (EISSN)

  • 1526-5536

International Standard Serial Number (ISSN)

  • 1047-7047

Digital Object Identifier (DOI)

  • 10.1287/isre.1080.0226

Citation Source

  • Scopus