Skip to main content

An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure

Publication ,  Conference
Arora, A; Krishnan, R; Telang, R; Yang, Y
Published in: ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems
December 1, 2006

One key aspect of better and more secure software is timely and reliable patching of vulnerabilities by software vendors. Recently software vulnerability disclosure, which refers to the publication of vulnerability information before a patch to fix the vulnerability has been issued by the software vendor, has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant disclosure and limited or no disclosure. An important consideration in this debate is the behavior of the software vendor. How quickly do vendors patch the vulnerabilities in general and after disclosure in particular? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to disclosure. In particular, instant disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors, and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect the stronger lines of communication between CERT/CC and vendors, and the value of the vulnerability analysis by CERT/CC.

Duke Scholars

Published In

ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems

Publication Date

December 1, 2006

Start / End Page

307 / 322
 

Citation

APA
Chicago
ICMJE
MLA
NLM
Arora, A., Krishnan, R., Telang, R., & Yang, Y. (2006). An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure. In ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems (pp. 307–322).
Arora, A., R. Krishnan, R. Telang, and Y. Yang. “An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure.” In ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems, 307–22, 2006.
Arora A, Krishnan R, Telang R, Yang Y. An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure. In: ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems. 2006. p. 307–22.
Arora, A., et al. “An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure.” ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems, 2006, pp. 307–22.
Arora A, Krishnan R, Telang R, Yang Y. An empirical analysis of software vendors' patching behavior: Impact of vulnerability disclosure. ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems. 2006. p. 307–322.

Published In

ICIS 2006 Proceedings - Twenty Seventh International Conference on Information Systems

Publication Date

December 1, 2006

Start / End Page

307 / 322