Professional Documents
Culture Documents
1
Motivation
100,000
137,529
80,000
82,094
60,000
21,756
should be disclosed 0
1990 1991 1992 1993 1994 1995 1996 1997 1998 1999 2000 2001 2002 2003
2
Motivation
4
Literature
• Arora, Telang, and Xu (2003) outline a model for the optimal
policy for software vulnerability disclosure.
5
• Vendors face cost of patching. More time they have for patching
less it costs them.
• Vendors’ customer incur loss when they are breached. Depending
on the market structure, vendors “internalize” some of the
customer loss. The more loss they internalize, more costs they
incur and earlier is the patch.
• Disclosure of vulnerability is potentially hurtful to customers
because disclosure makes it easier for hackers to find the
information too. Thus disclosure threat supposedly forces vendors
to patch faster because disclosure increases their costs.
• However, there is little (if any) empirical evidence that vendors
indeed patch faster and by how much.
6
Model Prediction
7
Data
• Vulnerabilities published by SecurityFocus or CERT/CC.
8
CERT/CC Vs SecurityFocus
9
Early disclosure
• Anytime vulnerability is disclosed within the disclosure window
(mostly 45 days) and vendor has not patched, early disclosure
happens. However, in our sample most of the time disclosure
happens quite early.
– Instant disclosure is a case when disclosure happens before or at
the same time when vendor is notified of the vulnerability.
10
Impact of instant disclosure
Without instant disclosure With instant disclosure
Patching Time (days) 58.08 (78.30) 44.37 (80.01)
Severity Metric 29.97 (22.68) 23.44 (21.34)
Obs / vuls 489 93 791 245
11
Impact of disclosure source (for Instantly
disclosed vuls)
12
Vendor Characteristics
Mean Std Dev
No. of Employee 22640 75997
Open Source 0.21 0.41
Public Firms 0.42 0.50
There are total 255 unique vendors. Above statistics is based on the 121 vendors
that we have reliable information.
Vulnerability Characteristics
• There are total 301 unique vulnerabilities.
• Average Severity Score was 16.25.
• Each vulnerability affected on an average 11 vendors.
13
Analysis
• Two sets of analysis
– Impact of disclosure on patching time.
• Conditional on not having patched until time t-1,
how will disclosure at time t will affect vendor’s
patching speed.
• We choose different values of t.
– Impact of expected “disclosure window” on
patching time.
• How will change in disclosure window affect
vendors’ patching behavior?
14
Te = 0 days Te = 4 - 7 days
(1.1) Vendor (1.2) Vendor (2.1) Vendor (2.2) Vendor
fixed effect characteristics fixed effect characteristics
CERT -0.55 (0.18) -0.47 (0.17) 0.27 (0.21) 0.30 (0.18)
Disclosure -0.78 (0.10) -0.86 (0.10) -0.50 (0.20) -0.43 (0.20)
Firm Size 0.00 (0.01) 0.00 (0.02)
Public firm -0.06 (0.13) 0.08 (0.14)
Open source -0.59 (0.35) -0.52 (0.12) -1.05 (0.40) -0.20 (0.15)
Severity metric -0.08 (0.04) -0.07 (0.04) -0.04 (0.06) -0.06 (0.05)
Post
September/11 -0.44 (0.11) -0.41 (0.10) 0.08 (0.15) 0.08 (0.14)
Constant 4.44 (0.23) 4.37 (0.22) 3.81 (0.27) 3. 69 (0.25)
R2 0.0883 0.0849 0.0254 0.0205
N 1280 1280 388 388
Notes: * indicates significant at 10% level, ** indicates significant at 5% level and *** indicates significant at 1% level.
15
Results
• Disclosure accelerates the patch delivery significantly. For
vulnerabilities that are disclosed instantly, patch comes
55% faster than otherwise.
16
Impact of Disclosure Source
Te=0 days
(1.1) Vendor
(1.2) Vendor characteristics
fixed effect
C_C -1.02** (0.23) -0.95** (0.21)
C_S -1.01** (0.20) -1.06** (0.18)
C_O -0.63** (0.21) -0.60** (0.19)
C_None -0.04 (0.20) 0.04 (0.18)
Firm Size -0.55* (0.35) 0.00 (0.01)
Public firm -0.06 (0.13)
Open source -0.52** (0.12)
-0.07* (0.04) -0.07* (0.04)
Severity metric (log)
N 1280 1280
Notes: * indicates significant at 10% level, ** indicates significant at 5% level
17
Te=0 days Te=4 - 7 days
(1.1) Vendor (1.2) Vendor (2.1) Vendor (2.2) Vendor
fixed effect characteristics fixed effect characteristics
-1.02 *** (0.23) -0.95 *** (0.21) -0.69 * (0.36) -0.65 * (0.37)
C_C
-1.01 *** (0.20) -1.06 *** (0.18) -0.54 (0.46) -0.38 (0.46)
C_S
-0.63 *** (0.21) -0.60 *** (0.19) 2.04 *** (0.74) 1.64 ** (0.70)
C_O
-0.04 (0.20) 0.04 (0.18) 0.52 *** (0.19) 0.47 *** (0.17)
C_None
0.00 (0.01) -0.01 (0.02)
Firm Size
-0.06 (0.13) 0.07 (0.13)
Public firm
-0.55 * (0.35) -0.52 *** (0.12) -1.05 *** (0.39) -0.17 (0.15)
Open source
-0.07 * (0.04) -0.07 * (0.04) -0.05 (0.05) -0.06 (0.05)
Severity metric
(log)
-0.41 *** (0.11) -0.38 *** (0.11) 0.12 (0.15) 0.09 (0.14)
Post September/11
3.92 *** (0.22) 3.88 *** (0.21) 3.56 *** (0.25) 3.56 *** (0.24)
Constant
0.1012 0.0966 0.0486 0.0482
R2
N 1280 1280 388 388
Notes: * indicates significant at 10% level, ** indicates significant at 5% level and *** indicates significant at 1% level.
18
Impact of Disclosure Window “T”
• We now want to understand what is the impact of disclosure
window on patching time. This is the information a policy maker
like CERT needs. Before they decide how much time should be
given vendors, they need to know what is impact of giving one
additional day.
19
Impact of disclosure window “T”
20
With disclosure source Without disclosure source
(1.1) Vendor (1.2) Vendor (2.1)Vendor (2.2)Vendor
fixed effect characteristics fixed effect characteristics
Disclosure -0.83** (0.11) -0.93** (0.10)
Disclosed_by_C -0.97** (0.17) -0.99** (0.15)
Disclosed_by_S -0.94** (0.13) -1.09** (0.12)
Disclosed_by_O -0.56** (0.14) -0.63** (0.14)
Firm Size 0.00 (0.02) 0.00 (0.02)
Public firm -0.07 (0.14) -0.08 (0.14)
Open source -0.55* (0.36) -0.56** (0.13) -0.60* (0.36) -0.55** (0.13)
Severity metric -0.06 (0.04) -0.05 (0.04) -0.07* (0.04) -0.06* (0.04)
Post 9/11 -0.44** (0.12) -0.40** (0.11) -0.48** (0.12) -0.43** (0.11)
Constant 3.86** (0.19) 3.92** (0.19) 3.94** (0.18) 3.97** (0.19)
R2 0.0991 0.0953 0.0903 0.0878
N 1181 1181 1181 1181
Notes: * indicates significant at 10% level, ** indicates significant at 5% level and
21
Results
22
Conclusions