• *We are grateful to the Editor and two anonymous referees whose comments and suggestions significantly improved the paper. We are also grateful to Sagit Bar-Gill for excellent research assistance. We thank Jacques Lawarree, Shlomit Wagman, and participants at the DIMACS 2007 conference, the UBC 2007 Summer Conference on Industrial Organization, the 2008 CEPR IO Conference, UC Berkeley, Michigan State University, Tel Aviv University, and the University of Washington for their helpful comments. A research grant from Microsoft is gratefully acknowledged. Any opinions expressed are those of the authors.


Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a ‘bug bounty’ program.