Are Markets for Vulnerabilities Effective?

In stock
Current reward structures in security vulnerability disclosure may be skewed toward benefitting nefarious usage of vulnerability information rather than responsible disclosure. Recently suggested market-based mechanisms offer incentives to responsible security researchers for discovering and reporting vulnerabilities. However, concerns exist that any benefits gained through increased incentives for responsible discovery may be lost through information leakage. Using perspectives drawn from the diffusion of innovations literature, we examine the effectiveness of market-based vulnerability disclosure mechanisms. Empirical examination of two years of security alert data finds that market-based disclosure restricts the diffusion of vulnerability exploitations, reduces the risk of exploitation, and decreases the volume of exploitation attempts.
Additional Details
Author Sam Ransbotham, Sabyaschi Mitra, and Jon Ramsey
Year 2012
Volume 36
Issue 1
Keywords Information security, vulnerability disclosure, information technology policy
Page Numbers 43-64
Copyright © 2023 MISQ. All rights reserved.