Network security: Vulnerabilities and disclosure policy

Jay Pil Choi*, Chaim Fershtman, Neil Gandal

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

24 Scopus citations


Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a 'bug bounty' program.

Original languageEnglish
Pages (from-to)868-894
Number of pages27
JournalJournal of Industrial Economics
Issue number4
StatePublished - Dec 2010


  • Disclosure policy
  • Internet security
  • L100
  • L630
  • Software vulnerabilities


Dive into the research topics of 'Network security: Vulnerabilities and disclosure policy'. Together they form a unique fingerprint.

Cite this