MANAGEMENT SCIENCE informs ® Vol. 54, No. 4, April 2008, pp. 642–656 doi 10.1287/mnsc.1070.0771 issn 0025-1909 eissn 1526-5501 08 5404 0642 © 2008 INFORMS
Optimal Policy for Software Vulnerability Disclosure
Ashish Arora, Rahul Telang, Hao Xu H. John Heinz III School of Public Policy and Management, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213 {[email protected], [email protected], [email protected]}
oftware vulnerabilities represent a serious threat to cybersecurity, most cyberattacks exploit known vulner- Sabilities. Unfortunately, there is no agreed-upon policy for their disclosure. Disclosure policy (which sets a protected period given to a vendor to release the patch for the vulnerability) indirectly affects the speed and quality of the patch that a vendor develops. Thus, CERT/CC and similar bodies acting in the public interest can use disclosure to influence the behavior of vendors and reduce social cost. This paper develops a framework to analyze the optimal timing of disclosure. We formulate a model involving a social planner who sets the disclosure policy and a vendor who decides on the patch release. We show that the vendor typically releases the patch less expeditiously than is socially optimal. The social planner optimally shrinks the protected period to push the vendor to deliver the patch more quickly, and sometimes the patch release time coincides with disclosure. We extend the model to allow the proportion of users implementing patches to depend upon the quality (chosen by the vendor) of the patch. We show that a longer protected period does not always result in a better patch quality. Another extension allows for some fraction of users to use “work-arounds.” We show that the possibility of work-arounds can provide the social planner with more leverage, and hence the social planner shrinks the protected period. Interestingly, the possibility of work-arounds can sometimes increase the social cost due to the negative externalities imposed by the users who are able to use the work-arounds on the users who are not. Key words: economics of cybersecurity; software vulnerability; disclosure policy; instant disclosure; patching; patch quality History: Accepted by Barrie R. Nault, information systems; received October 23, 2005. This paper was with the authors 7 months for 4 revisions. Published online in Articles in Advance March 1, 2008.
First, the Nation needs a better-defined approach to per company was more than $500,000 in 2004, and the disclosure of vulnerabilities. The issue is complex more than $200,000 in 2005 (CSI-FBI 2005). Software because exposing vulnerabilities both helps speed the vendors, including Microsoft, have announced their development of solutions and also creates opportu- intention to reduce vulnerabilities in their products. nities for would-be attackers. (National Strategy to Despite this, it is likely that vulnerabilities will con- Secure Cyberspace 2003, p. 33) tinue to be discovered in the foreseeable future.
1. Introduction 1.1. Vulnerability Disclosure Policies Information security breaches pose a significant and There is considerable debate about how software vul- increasing threat to national security and economic nerabilities should be disclosed. In one view, discover- well-being. In the Symantec Internet Security Threat ers should report vulnerabilities to vendors and wait Report (Symantec 2003), companies reported expe- until the vendor develops a patch. However, because riencing about 30 attacks per week. These attacks often exploit software defects or vulnerabilities. The a vendor is unlikely to fully internalize all user losses number of reported vulnerabilities has increased dra- when a vulnerability is exploited, some believe that matically over time. The same Symantec report doc- patches are often excessively delayed. This belief umented 2,524 vulnerabilities discovered in 2002, fueled the creation of full-disclosure mailing lists in affecting over 2,000 distinct products, an 81.5% the late 90s, such as “Bugtraq,” where vulnerability increase over 2001. The CERT/CC (Computer Emer- information is disclosed immediately and discussed gency Response Team/Coordination Center) received openly. Proponents of instant disclosure claim it and cataloged 8,064 vulnerabilities in 2006 alone and increases public awareness, presses vendors to issue reported more than 82,000 incidents involving vari- patches quickly, and improves the quality of software ous cyberattacks. Although precise estimates are not over time. However, many believe that the disclo- available, losses from cyberattacks can be substan- sure of vulnerabilities, especially without a patch, is tial. The CSI-FBI survey estimates show that the loss dangerous because it leaves users defenseless against
642 Arora, Telang, and Xu: Optimal Policy for Software Vulnerability Disclosure Management Science 54(4), pp. 642–656, © 2008 INFORMS 643 attackers. Richard Clarke (2002), President Bush’s for- has insufficient incentives to produce the patch expe- mer special advisor for cyberspace security, said: “It is ditiously. The social planner can potentially influ- irresponsible and extremely damaging to release ence the vendor decision by credibly threatening to information before the patch is out.”. disclose the vulnerability information after a pro- Whereas Bugtraq tends to favor full and quick dis- tected period (thereby making it available to attackers closure, organizations like CERT follow a more cau- as well). Thus, the social planner chooses the pro- tious approach. After learning of a vulnerability, tected period by trading off customer losses due to CERT contacts the vendor(s) and provides a time disclosure against the benefits of an earlier patch from window to patch the vulnerability; the de facto pol- the vendor (which also reduces customer loss). One icy is to give vendors 45 days. After that, the vul- key result is that the vendor is more responsive to dis- nerability is publicly disclosed. Other organizations closure if it internalizes more customer loss. However, have proposed their own policies. For example, OIS, even when the vendor internalizes a small fraction of which represents a consortium of 11 software ven- the customer loss, an optimal disclosure policy can 1 dors, suggests a 30-day window. In addition, firms generate significant social benefits. More interestingly, such as iDefense and 3Com/Tippingpoint buy vul- the social planner can achieve the first-best outcome nerability information from users on behalf of their even if the vendor does not internalize customer loss clients, an arrangement that may be socially harmful fully. absent appropriate vulnerability disclosure guidelines Although our setup is general, we make simplify- (Kannan and Telang 2005). ing assumptions for tractability. However, we show 1.2. Research Questions in §4.3 that our results are robust to various exten- A lack of consensus on the appropriate disclosure pol- sions. In extensions of the basic model, we allow the icy necessitates a conceptual framework to analyze users’ patching rate to vary with the quality of the and guide disclosure policy.2 Thus, the goal of this patch and we allow the vendor to choose the qual- paper is (i) to develop a model of the optimal policy ity of the patch. We show that giving more time to for vulnerability disclosure, which provides action- the vendor does not always result in a higher-quality able recommendations to the policy maker, and (ii) to patch. In another extension, we allow some users analyze how the optimal policy is conditioned by (smart users) to defend themselves by applying work- various factors. In particular, we examine how long arounds instead of waiting for a patch, if informed a vendor should be allowed to keep a vulnera- of the vulnerability. We show that the social planner bility secret (henceforth, the “protected period”) to can be more aggressive and disclose the vulnerabil- optimally balance the need to protect users while ity early, even if the vendor internalizes very little of providing vendors with incentives to develop a patch the customer loss. However, for intermediate values expeditiously. Our model can be used to analyze alter- of the proportion of smart users, the presence of smart natives and to suggest improvements in policies of users increases the social loss. entities, such as CERT, acting on behalf of society at In §2, we review the relevant literature. We present large. the basic setup and assumptions in §3 and the ven- The optimal disclosure policy depends on the be- dor’s decision and the choice of the socially optimal havior of vendors, potential attackers, and users. In protected period in §4. Section 4.4 analyzes the case this paper, a vendor is assumed to minimize costs, where the speed with which users apply the patch and hence its choice of when to deliver the patch is a function of the quality of the patch. Section 5 minimizes the sum of the cost of developing a patch extends the model to allow the users to implement and the portion of the user losses it internalizes. work-arounds, and §6 summarizes and concludes. Developing a patch early is costly. However, devel- oping a patch late is costly for the users because attackers can find the vulnerability on their own, 2. Prior Literature and this probability is increasing in time. Thus the This paper contributes to the emerging literature on vendor trades off these costs. However, because the the economic and policy aspects of cybersecurity, vendor does not internalize all customer losses, it hitherto a near-exclusive domain of computer scien- tists and technologists (Gordon and Loeb 2002). Typi- 1 Organization for Internet Safety members include @stake, Bind- cal empirical work in this domain has been devoted to View, Caldera International (The SCO Group), Foundstone, trend analysis of vulnerabilities. Browne et al. (2001) Guardent, ISS, Microsoft, NAI, Oracle, SGI, and Symantec. For show that the number of the cumulative incidences details, see http://www.oisafty.org. (C) follows a specific trend over time (M). In par- 2 See also the “Full Disclosure Debate Bibliography,” http://www. √ wildernesscoast.org/bib/disclosure-by-date.html (accessed August ticular, they estimate C = + M. Arbaugh et al. 24, 2005). See also Preston and Lofton (2002). (2000) propose a life-cycle model of a vulnerability Arora, Telang, and Xu: Optimal Policy for Software Vulnerability Disclosure 644 Management Science 54(4), pp. 642–656, © 2008 INFORMS
Figure 1 Timeline of Vulnerability
0 xtT end and show that the number of attacks exhibits a bell- the vendor’s products), and attackers. Customers’ and shaped curve over time since the discovery of the vul- attackers’ behavior is exogenously fixed, and we focus nerability. Arora et al. (2006a) find that disclosing a on the decisions of the social planner and the vendor. vulnerability leads to more attacks, and the number We model a situation (see Figure 1) where a vulner- of attacks are higher if the patch is not available at the ability is discovered by a benign discoverer (differ- time of disclosure. Arora et al. (2006c) find that early ent from the vendor or attackers) and is reported to disclosure prompts vendors to release patches more a social planner (like CERT) at time “0.”3 The social quickly. planner immediately informs the vendor and sets a Some recent papers analyze economic issues related protected period, T , after which it commits to pub- to vulnerability disclosure. Kannan and Telang (2005) licly disclose this information. The vendor makes a show that a market for software vulnerability would one-time decision on when to release a patch.4 For lower social welfare if buyers choose to disclose the simplicity, patch release time, , is assumed to be vulnerabilities they buy. August and Tunca (2005) deterministic. analyze how unpatched users exert externalities on Users incur losses when attackers exploit the vul- patched users, and show that the presence of the nerability in their systems. Attackers exploit the vul- externality affects the vendors’ incentives to improve nerability when they become aware of it and if the network security. We also explore such externalities customers have not patched. The disclosure policy by allowing a fraction of users to implement work- is binary: Either all information is disclosed or none arounds and impose the externalities on the users is. To ensure that losses are bounded, we treat the that lack this ability. Arora et al. (2005) develop an product life cyle (or version life cyle), tend as large analytical model where the possibility of patching but finite. Instant disclosure means T = 0, whereas a software product after it has been released cre- a secrecy policy implies that T>tend, which essen- ates incentives for the vendors to rush to the market tially means that the information is never disclosed with buggier products, especially in larger markets. (any action after tend is economically irrelevant in our Cavusoglu et al. (2005) present a model of risk shar- model). We assume, for now, that customers apply the ing between the vendor and software users where the patch as soon as it is released. risk arises due to vulnerabilities. These papers do not Attackers may discover the vulnerability at time x, deal with the issue of disclosure directly. where x is a random variable with a pdf, f x . Attack- Choi et al. (2005) present a model in which the ers exploit the vulnerability at time x or at time T , vendor chooses to disclose vulnerability information whichever is earlier. Estimates suggest that about along with a patch when a vulnerability is discovered. 60% of the documented vulnerabilities can be ex- They show that the vendor may not disclose the vul- ploited almost instantly, either because exploit tools nerability information even when it is socially optimal are widely available or because no exploit tool is to do so. They do not model the threat of disclosure. needed (Symantec 2003). Allowing for a deterministic Png et al. (2006) model a game between users and period of exploit-tool development is straightforward. attackers. They show that externalities cause users A key assumption in our model, relaxed in §5, is that to underinvest in security and suggest policy mea- users remain unprotected until a patch is released. sures to remedy the problem. Nizovtsev and Thursby Our model has two stages. In the first stage, the (2007) model the incentives of benign users to dis- social planner chooses the optimal protected pe- close software vulnerabilities through an open pub- riod T ∗, and in the second stage, the vendor chooses lic forum, whereas in our model, a benign user only a patch development time, ∗, in response to T . The contacts CERT, which then chooses the disclosure window. Cavusoglu et al. (2004) also analyze the question of vulnerability disclosure. However, their 3 Because our goal is to study the socially optimal protected period, operationalization of social cost differs from ours. we examine the case where the vulnerability is reported to the social planner. If the vendor were to find the vulnerability, it would Thus, unlike in our model, they find that vendors may act as if the protected period were infinite. If the attacker were release the patch before the socially optimal time. to find the vulnerability, it would be as if the protected period were zero. 3. Basic Setup and Assumptions 4 This assumption makes sense if the vendor has to commit resources to develop a patch for a period of time. However, implic- There are four participants in our model—a social itly it requires that the vendor releases the patch as soon as the planner, a vendor, representative users (customers of patch is ready. Arora, Telang, and Xu: Optimal Policy for Software Vulnerability Disclosure Management Science 54(4), pp. 642–656, © 2008 INFORMS 645
Table 1 Notation to a wider audience.” This suggests the following assumption. Patch release time set by the vendor T Protected period set by the social planner Assumption 1 (A1). l y is increasing and strictly V T Vendor expected cost function convex in y, tend ≥ y ≥ 0 and l 0 = 0. S T T Social planner cost function q Quality of the patch Customer losses depends upon the gap between C q Vendor patch development cost when the quality of the patch is q when the vulnerability is discovered by attackers (or z Instantaneous loss for unpatched customers at time z disclosed to them) and when the patch is released. after the patch release If the patch is released before disclosure, customers ly Cumulative prepatch customer loss when exposed to suffer a loss only if an attacker rediscovers the vul- attacks for duration y nerability prior to the patch. From Figure 1, x is when L T T Expected prepatch customer loss an attacker finds the vulnerability and is when L T˜ tend Expected postpatch customer loss T T tend Total (pre- and postpatch) expected customer loss the patch is released. Customers may be attacked Proportion of customer loss internalized by the vendor between time x and time , and do not suffer pzq Proportion of users who have applied the patch of losses beyond tend. Hence, cumulative customer loss quality q by the elapsed time z since patch release. is l − x (or l tend − x if >tend). If the patch is Fx Probability of attacker finding the vulnerability by time x released after T and the customers apply the patches s Socially optimal patch release time (if the social planner could release patch) instantly, there are two possibilities: First, attackers Patch release time by the vendor under secrecy policy could find the vulnerability on their own and exploit T k Kink point in vendor’s reaction function w.r.t to T it for − x periods. Alternatively, at time T , attackers Proportion of smart users who can implement learn about the vulnerability when it is disclosed and work-around if informed by the social planner w Cost of work-around exploit it until the patch is released at , for − T V w T Vendor cost function when smart users implement periods. The probability that attackers discover the work-around vulnerability on their own by time x is given by the Sw T T Social planner cost function when smart users implement cdf F x . Thus, the expected prepatch customer loss work-around L T , which is a function of the protected period T w Vendor patching time when smart users implement work-around. and the patch release time , can be written as T w Cutoff point such that for T ≤ T w , vendor induces work-around and vice versa l − x dF x when