An examination of private intermediaries’ roles in software vulnerabilities disclosure

Li, Pu; Rao, H. Raghav

doi:10.1007/s10796-007-9047-2

Cited by 16 publications

(9 citation statements)

References 10 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Our research makes a significant contribution to our understanding of vendor's investment in software quality, in particular recent work in the information security literature that has examined vendor patch release behavior (Arora et al, forthcoming;Cavusoglu et al, 2005;Choi et al, 2005;Li and Rao, 2007). To our knowledge our research is the first to demonstrate how increases in disclosure threats from rivals and non-rivals influences investments in information security and software quality.…”

Section: Introductionmentioning

confidence: 65%

“…Telang and Wattal (2007) use an event study methodology to show that vulnerability disclosure leads to a loss of market value. Li and Rao (2007) empirically examined the role of private intermediaries on the timing of patch release by vendors and found that the presence of private intermediaries decreases vendors' incentive to deliver timely patches. Our research is similar to prior work in that we examine the economic outcomes from vulnerability disclosure.…”

Section: Related Literature and Contributionmentioning

confidence: 99%

See 1 more Smart Citation

Competition and patching of security vulnerabilities: An empirical analysis

Arora

Forman

Nandkumar

et al. 2010

Information Economics and Policy

View full text Add to dashboard Cite

a b s t r a c tWe empirically estimate the effect of competition on vendor patching of software defects by exploiting variation in number of vendors that share a common flaw or common vulnerabilities. We distinguish between two effects: the direct competition effect when vendors in the same market share a vulnerability, and the indirect effect, which operates through non-rivals that operate in different markets but nonetheless share the same vulnerability. Using time to patch as our measure of quality, we find empirical support for both direct and indirect effects of competition. Our results show that ex-post product quality in software markets is not only conditioned by rivals that operate in the same product market, but by also non-rivals that share the same common flaw.

show abstract

Section: Introductionmentioning

confidence: 65%

Section: Related Literature and Contributionmentioning

confidence: 99%

Competition and patching of security vulnerabilities: An empirical analysis

Arora

Forman

Nandkumar

et al. 2010

Information Economics and Policy

View full text Add to dashboard Cite

show abstract

“…A vulnerability could either be disclosed immediately with full details after it is discovered, or be disclosed after a certain period of time with limited details to allow the vendors to develop and release the patch [Li and Rao 2007]. Vulnerability disclosures have conflicting effects.…”

Section: Vulnerability Disclosuresmentioning

confidence: 99%

Drivers of information security search behavior: An investigation of network attacks and vulnerability disclosures

Wang

Xiao

Rao

2010

ACM Trans. Manage. Inf. Syst.

Self Cite

View full text Add to dashboard Cite

More and more people use search engines to seek for various information. This study investigates the search behavior that drives the search for information security knowledge via a search engine. Based on theories in information search and information security behavior we examine the effects of network attacks and vulnerability disclosures on search for information security knowledge by ordinary users. We construct a unique dataset from publicly available sources, and use a dynamic regression model to test the hypotheses empirically. We find that network attacks of current day and one day prior significantly impact the search, while vulnerability disclosure does not significantly affect the search. Implications of the study are discussed.

show abstract

“…They find that software vendors wait longer than is socially optimal to release a patch and threat of disclosure can force the vendors the release the patch early. See Li and Rao (2007) for a detailed discussion on vulnerability disclosure policies.…”

Section: Information Economics and Disclosure Policymentioning

confidence: 99%