Economic analysis of the market for software vulnerability disclosure

Software vulnerability identification and their disclosure has been a critical area of concern for policy makers. Traditionally, computer emergency response team (CERT) has been acting as an infomediary between benign identifiers who report vulnerability information and users of the software. After verifying a reported vulnerability, and obtaining the remediation in the form of a patch from the software vendor, the infomediary - CERT - sends out a public "advisory" to inform software users about it. In the CERT type mechanism, reporting vulnerabilities is voluntary with no explicit monetary gains to benign identifiers. Of late, firms such as iDefense have been proposing a different market based mechanism. In this market based mechanism, the infomediary rewards identifiers for each vulnerability disclosed to it. The infomediary then shares this information with its clients who are users of this software. Using this information, clients can protect themselves against attacks that exploit those specific vulnerabilities. The key issue addressed in this paper is whether movement towards such a market based mechanism for vulnerabilities leads to a better social outcome? We study this problem by characterizing the behavior of software users benign and malign identifiers (or hackers).