*We are grateful to the Editor and two anonymous referees whose comments and suggestions significantly improved the paper. We are also grateful to Sagit Bar-Gill for excellent research assistance. We thank Jacques Lawarree, Shlomit Wagman, and participants at the DIMACS 2007 conference, the UBC 2007 Summer Conference on Industrial Organization, the 2008 CEPR IO Conference, UC Berkeley, Michigan State University, Tel Aviv University, and the University of Washington for their helpful comments. A research grant from Microsoft is gratefully acknowledged. Any opinions expressed are those of the authors.
NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY*
Article first published online: 24 DEC 2010
© 2010 The Authors. The Journal of Industrial Economics © 2010 Blackwell Publishing Ltd. and the Editorial Board of The Journal of Industrial Economics
The Journal of Industrial Economics
Volume 58, Issue 4, pages 868–894, December 2010
How to Cite
CHOI, J. P., FERSHTMAN, C. and GANDAL, N. (2010), NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY. The Journal of Industrial Economics, 58: 868–894. doi: 10.1111/j.1467-6451.2010.00435.x
- Issue published online: 24 DEC 2010
- Article first published online: 24 DEC 2010
- Internet security;
- software vulnerabilities;
- disclosure policy
Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a ‘bug bounty’ program.