Optimal policy for software vulnerability disclosure

Software vulnerabilities represent a serious threat to cybersecurity, most cyberattacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus, CERT/CC and similar bodies acting in the public interest can use disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of disclosure. We formulate a model involving a social planner who sets the disclosure policy and a vendor who decides on the patch release. We show that the vendor typically releases the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly, and sometimes the patch release time coincides with disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always result in a better patch quality. Another extension allows for some fraction of users to use "work-arounds." We show that the possibility of work-arounds can provide the social planner with more leverage, and hence the social planner shrinks the protected period. Interestingly, the possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who are able to use the work-arounds on the users who are not.