Abstract
Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a 'bug bounty' program.
| Original language | English |
|---|---|
| Pages (from-to) | 868-894 |
| Number of pages | 27 |
| Journal | Journal of Industrial Economics |
| Volume | 58 |
| Issue number | 4 |
| DOIs | |
| State | Published - Dec 2010 |
Keywords
- Disclosure policy
- Internet security
- L100
- L630
- Software vulnerabilities