IDEAS home Printed from https://ideas.repec.org/a/bla/popmgt/v29y2020i11p2532-2552.html
   My bibliography  Save this article

Determinants of Software Vulnerability Disclosure Timing

Author

Listed:
  • Ravi Sen
  • Joobin Choobineh
  • Subodha Kumar

Abstract

The timing of vulnerability disclosures (by vulnerability discoverers) has significant implications for software producers and users. Immediate disclosure (before a patch becomes available) could result in exploits with subsequent harm to installed systems. Therefore, it is important to understand the determinants of this timing. In this study, we investigate the impacts of (i) the perception of the vulnerability discoverer about the software producer, (ii) the type of vulnerable software, and (iii) the severity of the vulnerability, on a vulnerability discoverer's choice of disclosure timing. We collect data from three different sources and control for the vulnerability discoverer's motivations and beliefs. Our results indicate that those who perceive a software producer to be timely in its patch release, reward it by delaying the disclosure. We also find that it is more likely that the disclosure is delayed for open source software and it is less likely that the disclosure is delayed for more severe vulnerabilities. The findings of this study are relevant to software producers in their decision‐making process on resource allocation for software patches and should also help policy‐makers to devise regulations relevant to the timing of disclosures and patch releases. Furthermore, these findings could be relevant to software consumers searching for a particular software product that they would like to use. This study attempts to provide insights into an ongoing discussion in the operations management community regarding how to allocate and divide resources between software development and software maintenance.

Suggested Citation

  • Ravi Sen & Joobin Choobineh & Subodha Kumar, 2020. "Determinants of Software Vulnerability Disclosure Timing," Production and Operations Management, Production and Operations Management Society, vol. 29(11), pages 2532-2552, November.
    • Handle: RePEc:bla:popmgt:v:29:y:2020:i:11:p:2532-2552
    DOI: 10.1111/poms.13120
    as

    Download full text from publisher

    File URL: https://doi.org/10.1111/poms.13120
    Download Restriction: no
    File URL: https://libkey.io/10.1111/poms.13120?utm_source=ideas
    LibKey link: if access is restricted and if your library uses this service, LibKey will redirect you to where you can use your library subscription to access this item
    ---><---

    References listed on IDEAS

    as
    1. Dardanoni, Valentino & Li Donni, Paolo, 2012. "Incentive and selection effects of Medigap insurance on inpatient care," Journal of Health Economics, Elsevier, vol. 31(3), pages 457-470.
    2. repec:bla:kyklos:v:54:y:2001:i:2-3:p:317-42 is not listed on IDEAS
    3. Pu Li & H. Raghav Rao, 2007. "An examination of private intermediaries’ roles in software vulnerabilities disclosure," Information Systems Frontiers, Springer, vol. 9(5), pages 531-539, November.
    4. Krishnamurthy, Sandeep & Ou, Shaosong & Tripathi, Arvind K., 2014. "Acceptance of monetary rewards in open source software development," Research Policy, Elsevier, vol. 43(4), pages 632-644.
    5. Siegwart Lindenberg, 2001. "Intrinsic Motivation in a New Light," Kyklos, Wiley Blackwell, vol. 54(2‐3), pages 317-342, May.
    6. Richard Williams, 2006. "Generalized ordered logit/partial proportional odds models for ordinal dependent variables," Stata Journal, StataCorp LP, vol. 6(1), pages 58-82, March.
    7. Ashish Arora & Jonathan P. Caulkins & Rahul Telang, 2006. "Research Note--Sell First, Fix Later: Impact of Patching on Software Quality," Management Science, INFORMS, vol. 52(3), pages 465-471, March.
    8. Ashish Arora & Anand Nandkumar & Rahul Telang, 2006. "Does information security attack frequency increase with vulnerability disclosure? An empirical analysis," Information Systems Frontiers, Springer, vol. 8(5), pages 350-362, December.
    9. Ashish Arora & Rahul Telang & Hao Xu, 2008. "Optimal Policy for Software Vulnerability Disclosure," Management Science, INFORMS, vol. 54(4), pages 642-656, April.
    10. Milind Dawande & Subodha Kumar & Vijay Mookerjee & Chelliah Sriskandarajah, 2008. "Maximum Commonality Problems: Applications and Analysis," Management Science, INFORMS, vol. 54(1), pages 194-207, January.
    11. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    12. Hao Xia & Milind Dawande & Vijay Mookerjee, 2016. "Optimal Coordination in Distributed Software Development," Production and Operations Management, Production and Operations Management Society, vol. 25(1), pages 56-76, January.
    13. Yonghua Ji & Subodha Kumar & Vijay Mookerjee, 2016. "When Being Hot Is Not Cool: Monitoring Hot Lists for Information Security," Information Systems Research, INFORMS, vol. 27(4), pages 897-918, December.
    14. Asunur Cezar & Huseyin Cavusoglu & Srinivasan Raghunathan, 2017. "Sourcing Information Security Operations: The Role of Risk Interdependency and Competitive Externality in Outsourcing Decisions," Production and Operations Management, Production and Operations Management Society, vol. 26(5), pages 860-879, May.
    15. Karthik Kannan & Rahul Telang, 2005. "Market for Software Vulnerabilities? Think Again," Management Science, INFORMS, vol. 51(5), pages 726-740, May.
    16. Milind Dawande & Monica Johar & Subodha Kumar & Vijay S. Mookerjee, 2008. "A Comparison of Pair Versus Solo Programming Under Different Objectives: An Analytical Approach," Information Systems Research, INFORMS, vol. 19(1), pages 71-92, March.
    17. Fisher, Robert J & Ackerman, David, 1998. "The Effects of Recognition and Group Need on Volunteerism: A Social Norm Perspective," Journal of Consumer Research, Journal of Consumer Research Inc., vol. 25(3), pages 262-275, December.
    18. Krishnamurthy, Sandeep & Tripathi, Arvind K., 2009. "Monetary donations to an open source software platform," Research Policy, Elsevier, vol. 38(2), pages 404-414, March.
    19. Martin Dierker & Avanidhar Subrahmanyam, 2017. "Dynamic Information Disclosure," Contemporary Accounting Research, John Wiley & Sons, vol. 34(1), pages 601-621, March.
    20. Jeffrey A. Roberts & Il-Horn Hann & Sandra A. Slaughter, 2006. "Understanding the Motivations, Participation, and Performance of Open Source Software Developers: A Longitudinal Study of the Apache Projects," Management Science, INFORMS, vol. 52(7), pages 984-999, July.
    21. Ryu, C. & Sharman, R. & Rao, H.R. & Upadhyaya, S., 2010. "Security protection design for deception and real system regimes: A model and analysis," European Journal of Operational Research, Elsevier, vol. 201(2), pages 545-556, March.
    22. Yonghua Ji & Vijay S. Mookerjee & Suresh P. Sethi, 2005. "Optimal Software Development: A Control Theoretic Approach," Information Systems Research, INFORMS, vol. 16(3), pages 292-306, September.
    Full references (including those not matched with items on IDEAS)

    Citations

    Citations are extracted by the CitEc Project, subscribe to its RSS feed for this item.
    as


    Cited by:

    1. Rahul Menon & Lin Nan, 2023. "Sooner or later? A study of report timing," Production and Operations Management, Production and Operations Management Society, vol. 32(3), pages 762-779, March.
    2. Zach Zhizhong Zhou & Vidyanand Choudhary, 2022. "Impact of Competition from Open Source Software on Proprietary Software," Production and Operations Management, Production and Operations Management Society, vol. 31(2), pages 731-742, February.
    3. Subodha Kumar & Rakesh R. Mallipeddi, 2022. "Impact of cybersecurity on operations and supply chain management: Emerging trends and future research directions," Production and Operations Management, Production and Operations Management Society, vol. 31(12), pages 4488-4500, December.

    Most related items

    These are the items that most often cite the same works as this one and are cited by the same works as this one.
    1. Arora, Ashish & Forman, Chris & Nandkumar, Anand & Telang, Rahul, 2010. "Competition and patching of security vulnerabilities: An empirical analysis," Information Economics and Policy, Elsevier, vol. 22(2), pages 164-177, May.
    2. Alain Bensoussan & Vijay Mookerjee & Wei T. Yue, 2020. "Managing Information System Security Under Continuous and Abrupt Deterioration," Production and Operations Management, Production and Operations Management Society, vol. 29(8), pages 1894-1917, August.
    3. Debabrata Dey & Atanu Lahiri & Guoying Zhang, 2015. "Optimal Policies for Security Patch Management," INFORMS Journal on Computing, INFORMS, vol. 27(3), pages 462-477, August.
    4. Terrence August & Marius Florin Niculescu, 2013. "The Influence of Software Process Maturity and Customer Error Reporting on Software Release and Pricing," Management Science, INFORMS, vol. 59(12), pages 2702-2726, December.
    5. Terrence August & Duy Dao & Marius Florin Niculescu, 2022. "Economics of Ransomware: Risk Interdependence and Large-Scale Attacks," Management Science, INFORMS, vol. 68(12), pages 8979-9002, December.
    6. Ashish Arora & Ramayya Krishnan & Rahul Telang & Yubao Yang, 2010. "An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure," Information Systems Research, INFORMS, vol. 21(1), pages 115-132, March.
    7. Karthik Kannan & Mohammad S. Rahman & Mohit Tawarmalani, 2016. "Economic and Policy Implications of Restricted Patch Distribution," Management Science, INFORMS, vol. 62(11), pages 3161-3182, November.
    8. Qian Tang & Andrew B. Whinston, 2020. "Do Reputational Sanctions Deter Negligence in Information Security Management? A Field Quasi‐Experiment," Production and Operations Management, Production and Operations Management Society, vol. 29(2), pages 410-427, February.
    9. Sabyasachi Mitra & Sam Ransbotham, 2015. "Information Disclosure and the Diffusion of Information Security Attacks," Information Systems Research, INFORMS, vol. 26(3), pages 565-584, September.
    10. Foad Iravani & Sriram Dasu & Reza Ahmadi, 2012. "A Hierarchical Framework for Organizing a Software Development Process," Operations Research, INFORMS, vol. 60(6), pages 1310-1322, December.
    11. Anshul Tickoo & P. K. Kapur & A. K. Shrivastava & Sunil K. Khatri, 2016. "Testing effort based modeling to determine optimal release and patching time of software," International Journal of System Assurance Engineering and Management, Springer;The Society for Reliability, Engineering Quality and Operations Management (SREQOM),India, and Division of Operation and Maintenance, Lulea University of Technology, Sweden, vol. 7(4), pages 427-434, December.
    12. Maha Shaikh & Emmanuelle Vaast, 2016. "Folding and Unfolding: Balancing Openness and Transparency in Open Source Communities," Information Systems Research, INFORMS, vol. 27(4), pages 813-833, December.
    13. Belenzon, Sharon & Schankerman, Mark, 2008. "Motivation and sorting in open source software innovation," LSE Research Online Documents on Economics 51594, London School of Economics and Political Science, LSE Library.
    14. Xing Gao & Weijun Zhong & Shue Mei, 2015. "Security investment and information sharing under an alternative security breach probability function," Information Systems Frontiers, Springer, vol. 17(2), pages 423-438, April.
    15. Kalpit Sharma & Arunabha Mukhopadhyay, 2023. "Cyber-risk Management Framework for Online Gaming Firms: an Artificial Neural Network Approach," Information Systems Frontiers, Springer, vol. 25(5), pages 1757-1778, October.
    16. Islam, Mazhar & Miller, Jacob & Park, Haemin Dennis, 2017. "But what will it cost me? How do private costs of participation affect open source software projects?," Research Policy, Elsevier, vol. 46(6), pages 1062-1070.
    17. Saini Das & Arunabha Mukhopadhyay & Debashis Saha & Samir Sadhukhan, 2019. "A Markov-Based Model for Information Security Risk Assessment in Healthcare MANETs," Information Systems Frontiers, Springer, vol. 21(5), pages 959-977, October.
    18. Vidyanand Choudhary & Zhe (James) Zhang, 2015. "Research Note—Patching the Cloud: The Impact of SaaS on Patching Strategy and the Timing of Software Release," Information Systems Research, INFORMS, vol. 26(4), pages 845-858, December.
    19. Krishnamurthy, Sandeep & Ou, Shaosong & Tripathi, Arvind K., 2014. "Acceptance of monetary rewards in open source software development," Research Policy, Elsevier, vol. 43(4), pages 632-644.
    20. Arrah-Marie Jo, 2019. "Software vulnerability disclosure and security investment [L'impact de la divulgation d’une faille de sécurité : au-delà des motivations de l’éditeur de logiciel]," Post-Print hal-03033198, HAL.

    More about this item

    Statistics

    Access and download statistics

    Corrections

    All material on this site has been provided by the respective publishers and authors. You can help correct errors and omissions. When requesting a correction, please mention this item's handle: RePEc:bla:popmgt:v:29:y:2020:i:11:p:2532-2552. See general information about how to correct material in RePEc.

    If you have authored this item and are not yet registered with RePEc, we encourage you to do it here. This allows to link your profile to this item. It also allows you to accept potential citations to this item that we are uncertain about.

    If CitEc recognized a bibliographic reference but did not link an item in RePEc to it, you can help with this form .

    If you know of missing items citing this one, you can help us creating those links by adding the relevant references in the same way as above, for each refering item. If you are a registered author of this item, you may also want to check the "citations" tab in your RePEc Author Service profile, as there may be some citations waiting for confirmation.

    For technical questions regarding this item, or to correct its authors, title, abstract, bibliographic or download information, contact: Wiley Content Delivery (email available below). General contact details of provider: http://onlinelibrary.wiley.com/journal/10.1111/(ISSN)1937-5956 .

    Please note that corrections may take a couple of weeks to filter through the various RePEc services.

    IDEAS is a RePEc service. RePEc uses bibliographic data supplied by the respective publishers.