The Experts below are selected from a list of 336 Experts worldwide ranked by ideXlab platform
Rahul Telang - One of the best experts on this subject based on the ideXlab platform.
-
WEIS - An Empirical Analysis of Vendor Response to Disclosure Policy.
2020Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:Software Vulnerability Disclosure has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant Disclosure and limited or no Disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability Disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and Security Focus databases to answer this question. Our results suggest that early Disclosure has significant positive impact on the vendor patching speed. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond slower to vulnerabilities not disclosed by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC. We also find that vendors are more responsible after the 9/11 event.
-
An Economic Analysis of Market for Software Vulnerabilities
2020Co-Authors: K Kannan, Rahul TelangAbstract:Software Vulnerability Disclosure has become a critical area of concern for policy-makers. Traditionally, Computer Emergency Response Team (CERT) has been acting as an infomediary between benign identifiers (who report Vulnerability information voluntarily) and software users. After verifying a reported Vulnerability, the infomediary – CERT – sends out a public “advisory” so that users can safeguard their systems against potential exploits. Of late, firms such as iDefense have been implementing a different market-based approach for Vulnerability Disclosure where the “market-based” infomediary provides monetary rewards to identifiers for each Vulnerability disclosed to it. The infomediary shares this information with its client base. Using this information, clients protect themselves against attacks that exploit those specific vulnerabilities. The key question addressed in our paper is whether movement towards such a market-based mechanism for Vulnerability Disclosure leads to a better social outcome. Our analysis demonstrates that an active “market-based mechanism” for vulnerabilities almost always underperforms a passive CERT-type mechanism. We provide intuitions to this counter-intuitive result. Further, our paper provides policy recommendations that improve the relative performance of the market-based mechanism though not completely. Finally, we extend our analysis and analyze a new mechanism – “Federally-Funded Social Planner” – that always performs better than a market-based mechanism.
-
an empirical analysis of software vendors patch release behavior impact of Vulnerability Disclosure
Information Systems Research, 2010Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software Vulnerability Disclosure, which refers to the publication of Vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does Disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that Disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of Disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
-
optimal policy for software Vulnerability Disclosure
Management Science, 2008Co-Authors: Ashish Arora, Rahul Telang, Hao XuAbstract:Software vulnerabilities represent a serious threat to cybersecurity, most cyberattacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their Disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the Vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus, CERT/CC and similar bodies acting in the public interest can use Disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of Disclosure. We formulate a model involving a social planner who sets the Disclosure policy and a vendor who decides on the patch release. We show that the vendor typically releases the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly, and sometimes the patch release time coincides with Disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always result in a better patch quality. Another extension allows for some fraction of users to use “work-arounds.” We show that the possibility of work-arounds can provide the social planner with more leverage, and hence the social planner shrinks the protected period. Interestingly, the possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who are able to use the work-arounds on the users who are not.
-
does information security attack frequency increase with Vulnerability Disclosure an empirical analysis
Information Systems Frontiers, 2006Co-Authors: Ashish Arora, Anand Nandkumar, Rahul TelangAbstract:Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with Disclosure and patching of vulnerabilities. Disclosure of software Vulnerability has been controversial. On one hand are those who propose full and instant Disclosure whether the patch is available or not and on the other hand are those who argue for limited or no Disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with Disclosure and patching. In this paper, we empirically explore the impact of Vulnerability information Disclosure and availability of patches on attacks targeting the Vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known Vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown Vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the Vulnerability is published and then attacks rapidly decrease with time after publication.
Yubao Yang - One of the best experts on this subject based on the ideXlab platform.
-
WEIS - An Empirical Analysis of Vendor Response to Disclosure Policy.
2020Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:Software Vulnerability Disclosure has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant Disclosure and limited or no Disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability Disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and Security Focus databases to answer this question. Our results suggest that early Disclosure has significant positive impact on the vendor patching speed. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond slower to vulnerabilities not disclosed by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC. We also find that vendors are more responsible after the 9/11 event.
-
an empirical analysis of software vendors patch release behavior impact of Vulnerability Disclosure
Information Systems Research, 2010Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software Vulnerability Disclosure, which refers to the publication of Vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does Disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that Disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of Disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
-
an empirical analysis of vendor response to software Vulnerability Disclosure
2005Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:Software Vulnerability Disclosure refers to the publication of Vulnerability information before a patch to address the Vulnerability has been issued by the software vendor. It has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant Disclosure and limited or no Disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability Disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that Disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to Disclosure. In particular, instant Disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC.
-
impact of Vulnerability Disclosure and patch availability an empirical analysis
2004Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Anand Nandkumar, Yubao Yang, John H HeinzAbstract:Vulnerability Disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents of full and instant Disclosure, and those of limited or no Disclosure. This paper is an attempt to empirically test the impact of Vulnerability information Disclosure and availability of patches on attackers’ tendency to exploit vulnerabilities on one hand and on the vendors’ tendency to release patches on the other. Our results suggest that while vendors are quick to respond to instant Disclosure, Vulnerability Disclosure also increases the frequency of attacks. However, the frequency of attacks decreases over time. We also find that open source vendors patch more quickly than closed source vendors and that large vendors are more responsive.
Andrew B. Whinston - One of the best experts on this subject based on the ideXlab platform.
-
AMCIS - A Reputation-Based Mechanism for Software Vulnerability Disclosure
2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software Vulnerability information has been debated intensely. An optimal Disclosure policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software Vulnerability primarily focused on the timing aspect of the Disclosure policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release Vulnerability details to optimize social welfare.
-
a reputation based mechanism for software Vulnerability Disclosure
Americas Conference on Information Systems, 2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software Vulnerability information has been debated intensely. An optimal Disclosure policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software Vulnerability primarily focused on the timing aspect of the Disclosure policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release Vulnerability details to optimize social welfare.
Ashish Arora - One of the best experts on this subject based on the ideXlab platform.
-
WEIS - An Empirical Analysis of Vendor Response to Disclosure Policy.
2020Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:Software Vulnerability Disclosure has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant Disclosure and limited or no Disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability Disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and Security Focus databases to answer this question. Our results suggest that early Disclosure has significant positive impact on the vendor patching speed. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond slower to vulnerabilities not disclosed by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC. We also find that vendors are more responsible after the 9/11 event.
-
an empirical analysis of software vendors patch release behavior impact of Vulnerability Disclosure
Information Systems Research, 2010Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software Vulnerability Disclosure, which refers to the publication of Vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does Disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that Disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of Disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
-
optimal policy for software Vulnerability Disclosure
Management Science, 2008Co-Authors: Ashish Arora, Rahul Telang, Hao XuAbstract:Software vulnerabilities represent a serious threat to cybersecurity, most cyberattacks exploit known vulnerabilities. Unfortunately, there is no agreed-upon policy for their Disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the Vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus, CERT/CC and similar bodies acting in the public interest can use Disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of Disclosure. We formulate a model involving a social planner who sets the Disclosure policy and a vendor who decides on the patch release. We show that the vendor typically releases the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly, and sometimes the patch release time coincides with Disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always result in a better patch quality. Another extension allows for some fraction of users to use “work-arounds.” We show that the possibility of work-arounds can provide the social planner with more leverage, and hence the social planner shrinks the protected period. Interestingly, the possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who are able to use the work-arounds on the users who are not.
-
does information security attack frequency increase with Vulnerability Disclosure an empirical analysis
Information Systems Frontiers, 2006Co-Authors: Ashish Arora, Anand Nandkumar, Rahul TelangAbstract:Research in information security, risk management and investment has grown in importance over the last few years. However, without reliable estimates on attack probabilities, risk management is difficult to do in practice. Using a novel data set, we provide estimates on attack propensity and how it changes with Disclosure and patching of vulnerabilities. Disclosure of software Vulnerability has been controversial. On one hand are those who propose full and instant Disclosure whether the patch is available or not and on the other hand are those who argue for limited or no Disclosure. Which of the two policies is socially optimal depends critically on how attack frequency changes with Disclosure and patching. In this paper, we empirically explore the impact of Vulnerability information Disclosure and availability of patches on attacks targeting the Vulnerability. Our results suggest that on an average both secret (non-published) and published (published and not patched) vulnerabilities attract fewer attacks than patched (published and patched) vulnerabilities. When we control for time since publication and patches, we find that patching an already known Vulnerability decreases the number of attacks, although attacks gradually increase with time after patch release. Patching an unknown Vulnerability, however, causes a spike in attacks, which then gradually decline after patch release. Attacks on secret vulnerabilities slowly increase with time until the Vulnerability is published and then attacks rapidly decrease with time after publication.
-
an empirical analysis of vendor response to software Vulnerability Disclosure
2005Co-Authors: Ashish Arora, Rahul Telang, Ramayya Krishnan, Yubao YangAbstract:Software Vulnerability Disclosure refers to the publication of Vulnerability information before a patch to address the Vulnerability has been issued by the software vendor. It has generated intense interest and debate. In particular, there have been arguments made both in opposition to and in favor of alternatives such as full and instant Disclosure and limited or no Disclosure. An important consideration in this debate is the behavior of the software vendor. Does Vulnerability Disclosure policy have an effect on patch release behavior of software vendors? This paper compiles a unique data set from CERT/CC and SecurityFocus to answer this question. Our results suggest that Disclosure policy has a significant positive impact on the vendor patching speed. Vendors are 137% more likely to patch due to Disclosure. In particular, instant Disclosure hastens the patch delivery by almost 29 days. Open source vendors patch more quickly than closed source vendors and severe vulnerabilities are patched faster. We also find that vendors respond more slowly to vulnerabilities not handled by CERT/CC. This might reflect unmeasured differences in the severity and importance of vulnerabilities. It might also reflect the stronger lines of communication between CERT/CC and vendors, and the value of the Vulnerability analysis by CERT/CC.
Xia Zhao - One of the best experts on this subject based on the ideXlab platform.
-
AMCIS - A Reputation-Based Mechanism for Software Vulnerability Disclosure
2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software Vulnerability information has been debated intensely. An optimal Disclosure policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software Vulnerability primarily focused on the timing aspect of the Disclosure policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release Vulnerability details to optimize social welfare.
-
a reputation based mechanism for software Vulnerability Disclosure
Americas Conference on Information Systems, 2007Co-Authors: Xia Zhao, Jianqing Chen, Andrew B. WhinstonAbstract:Whether and how to disclose software Vulnerability information has been debated intensely. An optimal Disclosure policy should balance the tradeoff between its impact on software vendors' incentives and the potential risks imposed on customers. Previous research on software Vulnerability primarily focused on the timing aspect of the Disclosure policy. In this paper, we investigate another dimension -the reputation aspect -of the Disclosure policy. We propose a Disclosure mechanism integrated with a reputation system which reflects software security level. Reputation by itself can effectively provide an incentive for software vendors to fix vulnerabilities. Furthermore, the reputation operator can partially release Vulnerability details to optimize social welfare.
