Signal Game Analysis between Software Vendors and Third-Party Platforms in Collaborative Disclosure of Network Security Vulnerabilities

Xiong, Qiang; Zhu, Yifei; Zeng, Zhangying; Yang, Xinqi

doi:https://doi.org/10.1155/2023/1027215

Complexity

On this page

Abstract Introduction Conclusions Data Availability Conflicts of Interest Acknowledgments References Copyright Related Articles

Research Article | Open Access

Volume 2023 | Article ID 1027215 | https://doi.org/10.1155/2023/1027215

Signal Game Analysis between Software Vendors and Third-Party Platforms in Collaborative Disclosure of Network Security Vulnerabilities

Qiang Xiong,¹Yifei Zhu,¹Zhangying Zeng,²and Xinqi Yang¹

Academic Editor: Roberto Natella

Received20 Oct 2022

Revised26 Jan 2023

Accepted15 Mar 2023

Published31 Mar 2023

Abstract

The global network threat is becoming more and more serious, and network security vulnerability management has become one of the critical areas in the national information security emergency system construction. To guide the third-party sharing platforms regarding network security vulnerability management, this work constructs a signal game model comprising third-party vulnerability sharing platforms and software vendors for vulnerability collaborative disclosures. In addition, we analyze the game strategy selection and its influencing factors. The results show that there are two perfect Bayesian equilibria, including separation equilibrium and mixed equilibrium, due to the incomplete lines of information disclosure. The equilibrium state is mainly based on the compression time of the protection period and the existence ratio of the software vendors who develop the patches in the market. This work puts forward some suggestions in terms of the protection period, reputation loss, and relevant laws and regulations.

1. Introduction

The information technology (IT) plays a critical role in most organizations. As our society significantly depends on technology, its malfunctions become more disastrous. Any event or action that potentially threatens the security of IT resources, including the data and information within these resources, is of great concern. Today most security incidents are caused by the flaws in software, called vulnerabilities [1]. An abundance of vulnerabilities have been identified as the main cause of poor security of computer networks [2]. However, the vulnerabilities in software are inevitable. It is estimated that there are as many as 20 flaws per thousand lines of software code [3]. Although many software vendors have recently started paying more attention to secure software engineering practices, the secure software with zero vulnerability is unlikely. One key aspect of better and more secure software is the timely release of patches by the vendors for addressing the vulnerabilities in their products [4]. The patch release can be viewed as the postsales product support. The failure of software users to patch in a timely manner enables the attackers with malicious intentions to access their systems and oftentimes obtain full and administrator-level control. Such intrusions lead to financial and privacy losses as users continue to transact and use these systems unknowingly. Even worse, the presence of sizeable populations of compromised systems on computer networks imposes a substantial externality on all the network users [5]. It is noteworthy that the information security is no longer just a problem of the internet industry itself but has become an important issue related to the social public security.

1.1. Network Security Vulnerabilities

It is notable that the issue of patches has also gained prominence due to the public disclosure of vulnerabilities. As one of the central links in information security risk control, the network security vulnerability disclosure plays a vital role in reducing and differentiating various risks. The process of strengthening the collection, analysis, reporting, and notification of network security vulnerabilities has become an important part of national information security. In China, the collaboration among the Chinese National Vulnerability Database of Information Security (https://www.cnnvd.org.cn), Butian (https://www.butian.net/), vulnerability box (https://www.vulbox.com/), and other third-party vulnerability sharing platforms play an important role in information security.

Generally, the vulnerability life cycle includes seven stages, including generation, discovery, release, popularity, repair, decay, and extinction. Among them, the vulnerability release is the vulnerability disclosure discussed in this article. Once the vulnerability discoverer reveals the vulnerability of the manufacturer (or other subjects), the vulnerability disclosure stage initiates immediately. The vulnerability information can be fully disclosed by publishing it to a third-party platform or secret transactions between hackers. It is generally believed that the vulnerability disclosure refers to the disclosure of vulnerability information to the public through open channels. The Chinese National Standard Code for Information Security Technology Information Security Vulnerability Management (GB/T 30276-2013) defines it as “the release of vulnerability and its repair information under the premise of following certain release strategies.” The term “release” is adopted in the Network Security Law to directly regulate the disclosure of vulnerabilities. Article 26 of the law stipulates “to carry out network security certification, detection, risk assessment, and other activities and to release network security information, such as system vulnerabilities, computer viruses, network attacks, and network intrusions to the public, the relevant national regulations shall be observed.”

1.2. Vulnerability Coordination Disclosure and Protection Period Setting

The steps followed to handle the dissemination of the knowledge of software vulnerabilities after a benign user identifies them are collectively known as the vulnerability disclosure process. The vulnerability discoverer submits the discovered vulnerabilities to the third-party vulnerability sharing platform. The third-party platform then identifies the nature of the vulnerabilities and negotiates with the software manufacturer or other downstream teams to repair them. Then, the vulnerability information will be disclosed during which the vulnerability discoverers, third-party vulnerability sharing platforms, and software vendors must cooperate to effectively address the vulnerability issues [6, 7]. This collaboration is known as the collaborative disclosure and it emphasizes that all the stakeholders, including vulnerability discoverers, software vendors, third-party vulnerability sharing platforms, and government agencies, should share the security vulnerability information, work together, and actively cooperate to mitigate the security risks. Please note that the time difference between the vulnerability information disclosure and patch repair and a balance between the requirements of all parties have become basic considerations for information collaborative disclosure of the third-party vulnerability sharing platforms. For this reason, the third-party vulnerability sharing platforms set a vulnerability information protection period. For instance, the US-CERT protection period is 45 days. The regulations on network security vulnerability management (exposure draft) issued by the Ministry of Industry and Information Technology in the People’s Republic of China suggest that the protection period is 90 days. During the protection period, the platform does not actively disclose the vulnerability information to avoid being exploited by the hackers. After a patch is successfully developed or if the protection period is lapsed, the vulnerability information is disclosed. Under this backtracking mechanism, the software vendors actively develop the patches during the vulnerability protection period in order to avoid zero-time difference attacks and maintain corporate reputation [8]. However, considering today’s cybersecurity attack landscape, the current patching process for security has been less effective than desired [9]. As a result, many systems remain unpatched for a long time after patches are released. According to the Chinese National Vulnerability Database of Information, more than 25% of the ultracritical vulnerabilities disclosed in 2019 were not patched successfully. The major reason that the commercial software could not be repaired was that the patch was not developed in time. Consequently, the third-party platform’s information disclosure of the nonrepaired vulnerabilities intensifies the risk.

The protection period has become one of the key aspects for the third-party platforms to regulate the patch research and development behavior of software vendors. Typically, once vulnerability is made known to the vendor, the vendor is expected to release a timely patch. However, not everyone sees the vulnerability disclosure process as the optimal solution. During the patch research and development process, the third-party platforms cannot directly obtain the relevant information about the patch research and development process and have to wait passively. If the software vendors are still unable to release the patch at the end of the protection period, the network security risk increases. Therefore, it is necessary for third-party platforms to screen software suppliers, classify software suppliers based on their efforts in patch development, adjust the protection period, and force the software suppliers to actively develop patches. The software suppliers actively release their own signatures to obtain the best leak protection period, thereby reducing the cost of patch development. In order to verify these ideas, this paper proposes a signal game model between the software vendors and third-party vulnerability sharing platforms in the process of collaborative disclosure of information security vulnerabilities.

2. Theoretical Backgrounds

2.1. Challenges in Vulnerability Disclosure

The vulnerability refers to the defects and deficiencies in the design and implementation of hardware, software, and communication protocols of an information system, or the defects and deficiencies in the system security strategy [3]. Therefore, the network security vulnerabilities are inevitable. Once the vulnerabilities are discovered, disclosed, and abused, they may cause damage to the system. Given the spread speed of the Internet, vulnerability can spread all over the world in a few hours [10]. In order to address these issues, the vulnerability disclosure has become the most critical link in the information security industry. However, the ethical issues concerning the disclosure of vulnerabilities have also been debated by various countries [11].

The vulnerability disclosure often requires coordination between multiple parties, according to the CERT guide [12]. This behavior is called coordinated vulnerability disclosure. The collaborative disclosure means that the coordinator receives the vulnerability information, coordinates this information among the stakeholders, and discloses the software vulnerability information and patch development status to the stakeholders, including the public. Generally, the coordinator is a neutral and independent third-party platform [7]. A limited disclosure means that the vulnerability discoverer reports the security vulnerability to the manufacturer, thus assisting in solving the security vulnerability problem. When the solution is complete, the manufacturer announces the vulnerability and releases the patch to the user. This type of vulnerability disclosure is more neutral and has more complex details. It is a compromise and derivative of the first two types of vulnerability disclosure, although there are many unreasonable points, such as releasing vulnerabilities without patches, which still lead to similar security problems caused by the full disclosure. Please note that this type of disclosure gives consideration to the interests of users and manufacturers and is approved by a large number of security researchers. It is very difficult as it hides the information from the security personnel, and the attackers can independently find and share the vulnerabilities [13]. As compared with the limited disclosure, the full disclosure leads to a smaller delay in the spread of vulnerability attacks, stronger attack bursts, and a higher risk of the first attack one day after the disclosure [14]. As each of these policies tend to favor one stakeholder, the security community has recently realized a need for a middle ground in which both the vendor and benign user can compromise in the vulnerability disclosure process to make the process better for the society [15]. Therefore, the collaborative disclosure has become the best choice among the industry and research community. In this disclosure process, the benign user does not announce the vulnerability knowledge to the public immediately and gives the vendor some time to develop a patch. If the vendor does not release its patch before the deadline, the public is informed about the vulnerability [7]. Sometimes, direct disclosure also plays an important role in the collaborative disclosure of vulnerabilities. More and more scholars support the mixed disclosure model. Different disclosure models are not as clear as previously proposed, and the boundaries are increasingly blurred [16].

2.2. Methods of Vulnerability Disclosure

By providing the products for specific environments, the collaborative disclosure benefits both enterprises and consumers [17]. The bug reward programs (BBPs) of suppliers and intermediaries are the most important invention used to prevent the vulnerability crimes in recent years. However, with suppliers’ incentives and other incentives, the proportion of information disclosure and hackers’ participation has slightly increased. The security researchers have the motivation to contribute to those BBPs that provide higher remuneration, and not just those programs that have a higher probability of discovering vulnerabilities [18]. As compared with other disclosure methods, the collaborative disclosure based on third-party platforms effectively improves the efficiency and benefits in most cases [19, 20]. When the vendor incrementally releases a patch to fix the vulnerability, the attackers may find and exploit the same vulnerability on other devices that have not been patched by the vendor by using the patch released for a device (Nakajimata et al., 2020). The disclosure of vulnerabilities identified by the organizations, such as the computer emergency response team (CERT), enforces the suppliers to release the patches after short intervals [4]. Considering the protection period of the third-party vulnerability sharing platforms, Anderson et al. put forward the information security control theory for managing and coordinating the tension between network vulnerability information sharing and protection [21]. The software vendors’ usual patch development speed is lower as compared to the social optimal [22].

2.3. Application of Game Theory in Vulnerability Disclosure

The game theory-based methods are widely used in network security management research, such as network security investment decision-making. Gao studied the use of another recognized security vulnerability probability function to determine the security investment and information sharing of the two companies and analyzed the security vulnerability probabilities of the two information companies under the four states of sharing, aggregation attack, aggregation defense, and equilibrium under decentralized decision-making. The author compared these results with three centralized decision-making cases and proved that although aggregation attack, aggregation defense, and security vulnerability probabilities remain unchanged, more social interventions produce higher social welfare [23]. Hausken analyzed the four-staged game of network vulnerability information sharing between two companies and two hackers [24]. The authors obtained the management enlightenment of the hackers based on different characteristics. However, there is a lack of research on how to address the problems regarding the information asymmetry based on the signal transmission during the game process. In the research regarding the operations of other platforms, various scholars have introduced the signal game theory for studying the signal display behavior of different platform subjects and its influencing factors, such as the signal transmission between the supply chain platform and the platform seller [25], and the signal transmission between the P2P platform and the bilateral lending users, as an information intermediary, P2P platforms may or may not transmit information. In addition, the transmitted information may or may not be true, and the effectiveness of signal display depends on the cost of signal display. When the cost of signal display is in the middle, P2P platforms are willing to display the signals truthfully, thus providing a reference for the selection of research methods in this work.

Currently, there are extensive theoretical discussions regarding the network security vulnerability disclosure. The use of game theory for analyzing the collaboration between different participants in the network security vulnerability disclosure is also concerned. However, the research results regarding the vulnerability collaborative disclosure based on the third-party vulnerability sharing platforms are still insufficient, and there is a relative lack of theoretical and empirical research on the games between third-party platforms and software vendors. This study is helpful for studying the influencing factors and mechanism of collaborative disclosure of security vulnerabilities based on third-party platforms. Moreover, this work accordingly puts forward corresponding suggestions on the collaborative disclosure of vulnerabilities between software suppliers and third-party vulnerability sharing platforms.

3. Research Assumptions and Model Construction

3.1. Definition of Participants

During the process of network security vulnerability disclosure, the participants include security researchers, governments, software vendors, third-party platforms, and “white hat”. The network security vulnerability disclosure and patch release process are presented in Figure 1. As white hat is often a registered member of the third-party vulnerability sharing platforms, it entrusts the third-party platform to handle the vulnerability when it is submitted. Therefore, in the signal game model presented in this work, only the game between the software vendors and the third-party platform is considered.

The software vendors are the signal senders and the third-party platforms are the signal receivers. The type of software vendor is private information. Based on the way the software vendors handle the discovered vulnerabilities, they can be divided into two types, including the software vendors who actively develop patches and the software vendors who do not develop the patches actively. It is assumed that the software vendors who actively develop patches successfully develop the patches within the protection period. The third-party vulnerability sharing platform is a public information service provider. It is a player whose main purpose is to improve the network security. Please note that both players are rational economic individuals, aiming to maximize their payoffs. For other participants in the network security vulnerability disclosure, it is assumed that white hat immediately submits the vulnerability information to the third-party platform after obtaining it. Moreover, we also assume that the users also install the patch immediately after its release.

3.2. Game Signal

Due to asymmetric information, the third-party platforms are unable to completely understand if the software vendors are actively researching and developing the patches for the discovered vulnerabilities. The third-party vulnerability disclosure platform only relies on the signal sent by the software vendors to judge and decide whether to adjust the protection period. The software vendors send the signals to show their willingness to develop the patches. Assuming that is a high intention signal, it means that the software vendors declare that it will actively develop the patches. On the contrary, is a low intention signal, which indicates that the software vendors declare that it will not develop the patches actively.

3.3. Parameter Assumptions

H1: When a software vendor discloses vulnerabilities in a timely manner, the consumers feel protected, thus increasing the purchase of the company’s products, and the profit and reputation of the software supplier increase (Choi and Fershtman et al., 2010). The operating income of software vendor of type is . The revenue of the software vendor of type is , where . Please note that the operating income of the software vendors is affected by their attitude toward the patch research and development. H2: The software vendors who send high intention signals receive the social reward for actively repairing the vulnerabilities. The software vendors who send low willingness signals receive social rewards for actively repairing vulnerabilities. Generally speaking, the software vendors who send high intention signals are more likely to win the trust of the consumers as compared to the software vendors who send low intention signals. It is assumed that all the software vendors actively develop the patches successfully within the protection period. H3: The cost bore by the software vendors of type for sending a high wish signal is . In order to show their high wishes, the software vendors of type disguise themselves, such as falsely reporting the turnover, and the camouflage cost is . The cost of sending a high wish signal is recorded as . The cost of low willingness signals from software vendors is 0. H4: The research and development cost bore by the software vendors is , where denotes the cost bore by the software vendors to immediately release the patches when the vulnerabilities are discovered and characterizes the savings in patch development cost per unit time associated with delaying the release. The distribution and maintenance costs of patch R&D are not considered [26]. denotes the vulnerability protection period specified by the third-party platform, and represents the time spent when the vulnerabilities are submitted to the third-party platforms. H5: When the software vendors do not release the patches for addressing the vulnerabilities, and the vulnerability information is not disclosed, the software vendors have a risk cost . If the vulnerability information is disclosed, there is a risk cost (). The software vendors that do not actively develop the patches eventually suffer attack losses . The attack loss is greater than the risk cost. H6: A platform has two options after receiving the signal, i.e., disclose the vulnerability information immediately or disclose the vulnerability after the expiration of the protection period (at this time, is a fixed value). Please note that denotes the disclosure in the normal protection period and denotes the immediate disclosure . Suppose that the cost bore by the third-party platform to immediately disclose the vulnerabilities of willing software vendors is and the cost associated with the immediate disclosure of vulnerabilities of less willing manufacturers is (), then the cost of disclosure in the normal protection period is 0. Currently, there are very few provisions regarding the control of vulnerability disclosure in China. The scope of “relevant national provisions” required to be complied within the provisions includes the departmental regulations lower than the legal rank of the criminal law, thus making the legitimacy of the vulnerability disclosure of third-party platforms unclear. The third-party’s security testing and vulnerability discovery process without the consent of the software vendors may itself violate the provisions of the criminal law. Therefore, the third-party vulnerability disclosure platform may bear legal risks when disclosing the vulnerabilities, while it is more likely that the less willing manufacturers do not actively develop the patches. As a result, the potential risks are also higher. H7: For the software vendors who do not actively develop patches, if the third-party platform chooses to disclose immediately to force them to repair the vulnerabilities and reduce network security risks, the platform will gain social benefit , such as improving the social reputation and shortening the duration of vulnerabilities. If no measures are taken against the software vendors that do not actively develop the patches, the third-party platform will suffer loss , such as the decline in the competitiveness and the reduction in the number of “white hat” vulnerability submissions. H8: If the third-party platform chooses to disclose the vulnerability information during the normal protection period, the software vendor sends a high intention signal and releases a patch before the protection period to gain reputation . Otherwise, the lost reputation is . The third-party platforms send a low intention signal and release a patch before the protection period to gain reputation . Otherwise, the lost reputation is (). H9: Third party platforms do not independently develop vulnerability patches, but only disclose the vulnerabilities of the software suppliers and supervise them according to their wishes. If software vendors do not solve vulnerability problems independently through the supervision of third-party platforms, they will not receive social rewards. Therefore, it is assumed that all the software vendors express their wishes through third-party platforms and develop vulnerability patches under the supervision of third-party platforms.

3.4. Game Model

The time sequence of the game is presented below:(1)Nature randomly selects a software vendor from the space according to a priori probability . Please note that the software vendor knows its own type , but the third-party platform does not possess this information. Instead, the third-party platform only knows the prior probability that software vendor belongs to . Let .(2)The software vendors choose to send the signal after observing its own type . The signal space of the software vendors is .(3)After the third-party platform receives the signal , the prior probability is modified based on the Bayesian law to obtain the posterior probability . Then, the action is selected from the action space .(4)The payment functions of software vendors and third-party platforms are and , respectively. The signal transmission dynamic game model is presented in Figure 2

4. Signal Game Equilibrium Analysis

In the optimal state, in order to improve the network security, the software vendors should actively develop the patches for the discovered vulnerabilities. However, some manufacturers may delay the patch development process or even do not develop the patches at all for cost reduction and sending false signals to disguise their real intention regarding the patch development. It is assumed that during the collaborative disclosure of vulnerability information, the software vendors that do not actively develop the patches and have a probability of transmitting the false information , i.e., , , , and . According to the Bayesian law, the posterior probability of the third-party platform is obtained as follows:

All the possible refined Bayesian equilibria of the signal game can be divided into three categories, including separation equilibrium, mixed equilibrium, and quasiseparation equilibrium. It is evident from the aforementioned analysis that the posterior probability of the third-party platforms is affected by . This means that the equilibrium state of the game is also affected by . When , the game presents a state of separation equilibrium; when , the game presents a mixed equilibrium state; and when , the game presents a quasiseparation equilibrium state. Since there are only two types of software vendors and only four pure strategies for the participants, the refined Bayesian equilibrium does not consider the quasiseparation equilibrium. Instead, it only considers the separation and mixed equilibria [27].

4.1. Separation Equilibrium State

The separation strategy of software vendors includes two cases, i.e., and . Since the second case has no practical significance, this model only discusses the first separation equilibrium. The probability of false information transmitted by the software vendors who do not actively develop the patches is . When the separation equilibrium state is established, the software vendors sends the signal and the software vendors sends the signal . The posterior probability of the third-party platform is and .(1)After the third-party platform receives the signal , it selects the expected return of action . The expected returns of the selected action are mathematically expressed as follows: According to equation (5), , i.e., the expected return of the third-party platform during the normal protection period is greater than the expected return disclosed immediately. Its optimal strategy is to select the normal protection period, i.e., . When the third-party platform receives the letter , it selects the expected return faction . The expected returns of the selected action are mathematically expressed as follows: According to equation (6) and assumptions . So, , the expected return of the third-party platform for immediate disclosure is greater than the expected return of the normal protection period. The optimal strategy is to choose immediate disclosure, i.e., .(2)The action option for a given third-party platform is , when are satisfied. The revenue of software vendors on the equilibrium are expressed as follows:

The revenue of the software vendors on the unbalanced path is expressed as follows:

According to equations (7) and (8), when , the software vendors who actively develop patches send a high willingness signal, whereas the software vendors who do not actively develop the patches sent a low willingness signal. Therefore, when the third-party platform sends a low willingness signal to the software vendors who do not actively develop patches, the revenue immediately disclosed is greater than the revenue disclosed during the normal protection period, i.e., . When the camouflage cost of software vendors who do not actively develop the patches to send high willing signals satisfies , and is the fractional refined Bayesian equilibrium of the game.

In this state of separation equilibrium, the third-party platform can choose the normal protection period to disclose the vulnerability information of software vendors who send high willingness signals and actively develop patches, and immediately disclose the vulnerability information of the software vendors who send low willingness signals and do not actively develop the patches. In order to obtain a normal protection period, software vendors who do not actively develop the patches begin to attach importance to patch research and development, and the proportion of software vendors who do not actively develop patches in the market become smaller and smaller. For third-party platforms, the revenue disclosed immediately by the software vendors who do not actively develop the patches by sending a low willingness signal is higher than the revenue disclosed during the normal protection period, and there is no motivation to deviate from the equilibrium.

4.2. Pooling Equilibrium State

In the pooling equilibrium state, all the software vendors send the same signal, which does not transmit their patch development state. The mixed equilibrium strategy includes two situations, i.e., and . According to the assumption of rational participants, the software vendors of type will not choose to send low willingness signals , consequently, only first case is considered, i.e., the software vendors of different types send high willingness signals. At this time, the probability of software vendors who do not actively develop patches to transmit false information is . The game shows a pooling equilibrium state. Both software vendors and send a signal , and the posterior probability of the third-party platform is , , = , and .(1)After receiving the signal of mixed equilibrium path, the third-party platform selects the expected return of action and the expected return of action as follows: According to equation (9), when , can be obtained. The expected return of the third-party platform in the normal protection period is better than the expected return of the immediate disclosure, and its optimal strategy is to choose the normal protection period disclosure, i.e., . When , . At this time, the optimal strategy of the third-party platform is to choose immediate disclosure, which means .(2)The action selection of a given third-party platform is , i.e., the posterior probability of the third-party platform satisfies the condition . The software vendors’ income for the equilibrium path is expressed as follows:

The profits of the software vendors for an unbalanced path are expressed as follows:

According to equations (10) and (11), it is evident that . This shows that the income of the software vendors under the equilibrium path is lower as compared to the nonequilibrium path. Therefore, there is a strong basis for them to deviate from the equilibrium, such that there is no Bayesian equilibrium at this time.

The action selection of a given third-party platform is , i.e., the posterior probability of the third-party platform α satisfies the condition . The software vendors’ income for the equilibrium path is expressed as follows:

The profits of the software vendors for the unbalanced path are expressed as follows:

According to equations (12) and (13), when , the income of the software vendors under the equilibrium path is greater as compared to the unbalanced path. Consequently, there is no enthusiasm to deviate from the equilibrium.

Therefore, when , and the camouflage cost of software vendors that does not actively develop the patches to send a high intention signal satisfies , is the mixed refined Bayesian equilibrium of the game. This equilibrium means that no matter whether the software vendor is actively researching and developing the patches, it will choose to send a high willingness signal. The proportion of the software vendors actively researching and developing patches in the market is . The third-party platforms benefit from the disclosure in the normal protection period. However, in the long run, all the software vendors send high intention signals, and the efficiency of patch development reduces.

The analysis of the basic model shows that when the camouflage cost of sending high intention signals is very low, and the third-party platform chooses the normal protection period to disclose the vulnerability information, the market enters the mixed equilibrium. During the process of collaborative disclosure of vulnerability information, due to asymmetric information, the third-party platforms are unable to completely assess the true situation regarding the software vendors, resulting in low camouflage cost. If the third-party platform immediately discloses all the vulnerability information, it pays a large cost. On the other hand, after the third-party platform receives the high intention signal, it is speculated that the software vendors will actively develop the patches. Therefore, the income passed back to the software vendors must be higher than that after receiving the low intention signal, i.e., it satisfies , so . When , the income gap is large and exceeds the camouflage cost of software vendors who do not actively develop the patches. Regardless of the corporate responsibility of the software vendors, all the software vendors who send high intention signals may not actively develop the patches, thus reducing the overall leak repair ability of the software vendors in the market and damaging the social interests. Therefore, we should narrow the income gap and take measures to increase the losses suffered by the software vendors who do not actively develop the patches, make the losses caused by software vendors who do not actively develop patches but obtain normal protection period close to the cost of developing patches immediately . The camouflage cost of the software vendors who do not actively develop the patches is greater than the income difference, so as to meet the conditions of the separation equilibrium.

5. Conclusions and Suggestions

Based on the research regarding the signal game between the software vendors and third-party vulnerability sharing platforms during the process of information security vulnerability collaborative disclosure, this paper analyzes two equilibrium states, including separation equilibrium and pooling equilibrium. The results show that the camouflage cost of the software vendors who do not actively research and develop the patches is a decisive factor for the market to achieve the separation equilibrium. When the market presents a separation equilibrium state, the third-party vulnerability sharing platform can accurately judge the true state of the software vendors based on the signals. According to the acquired information, they can decide whether to disclose the vulnerability in the normal protection period or immediately. This separation equilibrium state is the most ideal cooperation state for the third-party platforms and the software vendors. When the market presents a pooling equilibrium state, different types of software vendors send high intention signals. The revenues of the third-party vulnerability sharing platforms depend on the distribution of software vendors actively researching and developing the patches in the market. Based on the aforementioned analysis, this work puts forward the following suggestions:(1)regulate the reputation loss of software vendors. From the aforementioned signal game results, it is evident that the reputation loss of software vendors impacts the compression time of the protection period. If the difference between the economic loss and reputation loss of the vulnerability discovered and exploited by the hackers and the reputation loss of the less willing manufacturer who does not actively research and develop the patches after being disclosed by the platform is too large, i.e., , it will increase the range of the vulnerability compression protection period, or even exceed the range of the original protection period. At this time, the third-party platforms cannot accurately compress the protection period based on the adjustable range, and the reputation loss will not attract the attention of the software vendors. On the contrary, if the difference is too small, the upper limit of the interval may be smaller as compared to the lower limit, and the interval condition of the separation equilibrium is not tenable that the software vendors may not bear. Generally, when third-party platforms find that the reputation loss of a less willing software vendor who is not actively researching and developing the patches, it can use the news media or on-site promotion to expand the communication scope of the software vendor’s behavior. When the reputation loss is too large, the third-party platforms can use the background to adjust the location of the vulnerability information and reduce attention. While standardizing the reputation loss, we should also take measures to urge software vendors who do not actively develop patches to actively develop patches during the protection period. The regulation of reputation loss ultimately helps the whole market to achieve a separation equilibrium.(2)We establish and improve the patch research and development credit reporting system of software vendors and improve the punishment mechanism for dishonesty. It is evident from the aforementioned conclusion that in the mixed equilibrium state, the ratio of the software vendors actively developing the patches in the market affects the final income of the third-party platforms. When the proportion of software vendors actively developing the patches in the market exceed a certain threshold, the third-party vulnerability information sharing platforms can also benefit from the software vendors by choosing the normal protection period. In the mixed equilibrium state, the third-party platforms cannot judge the type of the software vendors based on the signals. Therefore, it is necessary to establish and improve the patch research and development credit reporting system of software vendors, record the compliance and breach behaviors of software vendors, encourage the software vendors who actively research and develop the patches, and punish the software vendors who do not actively research and develop the patches, so that the behavior of each software vendor can be followed. The proportion of software vendors actively researching and developing the patches in the market has increased. Even if the market cannot reach the separation equilibrium state, it can ensure the social public benefits required by the third-party vulnerability sharing platforms.(3)Currently, there are few provisions for controlling the vulnerability disclosures in China. The scope of “relevant national regulations” to be complied is not clear. The third-party platforms may bear potential legal risks in vulnerability disclosures. According to the aforementioned analysis, one of the conditions to reach the separation equilibrium state is to make the third-party platforms send low intention signals to the software vendors who are not actively researching and developing the patches. The benefits of the compressed protection period are greater as compared to those of the normal protection period. Therefore, it is necessary to reduce . It is suggested that the relevant legislation should clarify the responsibility settings of software vendors, third-party vulnerability disclosure platforms, and government agencies, and demonstrate and design the rule system of network security vulnerability disclosure around the disclosure subject, disclosure object, disclosure method, and disclosure responsibility exemption.

Data Availability

The data used to support the findings of this study are included within the article.

Conflicts of Interest

The authors declare that they have no conflicts of interest.

Acknowledgments

This work was supported by the National Social Science Fund of China under grant no. 19GBL236.

References

A. Shostack, “Quantifying patch management,” Secure Business Quarterly, vol. 3, no. 2, pp. 1–4, 2003.
View at: Google Scholar
B. C. Kim, P. Y. Chen, and T. Mukhopadhyay, “The effect of liability and patch release on software security: the monopoly case,” Production and Operations Management, vol. 20, no. 4, pp. 603–617, 2011.
View at: Publisher Site | Google Scholar
R. F. Dacey, “Information Security: Effective Patch Management Is Critical to Mitigating Software Vulnerabilities,” Gao Reports, vol. 20, 2003.
View at: Google Scholar
A. Arora, R. Krishnan, R. Telang, and Y. Yang, “An empirical analysis of software vendors' patch release behavior: impact of vulnerability disclosure,” Information Systems Research, vol. 21, no. 1, pp. 115–132, 2010.
View at: Publisher Site | Google Scholar
T. August, D. Dao, and K. Kim, “Market segmentation and software security: pricing patching rights,” Management Science, vol. 65, no. 10, pp. 4575–4597, 2019.
View at: Publisher Site | Google Scholar
M. A. T. J. Laakso, “The Vulnerability Process: A Tiger Team Approach to Resolving Vulnerability Cases,” in Proceedings of the Proc. 11th FIRST Conf. Computer Security Incident Handling and Response, Brisbane, Australia, June 1999.
View at: Google Scholar
H. Cavusoglu, H. Cavusoglu, and S. Raghunathan, “Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge,” IEEE Transactions on Software Engineering, vol. 33, no. 3, pp. 171–185, 2007.
View at: Publisher Site | Google Scholar
L. A. Gordon, M. P. Loeb, and T. Sohail, “Market value of voluntary disclosures concerning information security,” MIS Quarterly, vol. 34, no. 3, p. 567, 2010.
View at: Publisher Site | Google Scholar
T. August and T. I. Tunca, “Who should Be responsible for software security? A comparative analysis of liability policies in network environments,” Management Science, vol. 57, no. 5, pp. 934–959, 2011.
View at: Publisher Site | Google Scholar
A. Ahmed, A. Deokar, and H. C. B. Lee, “Vulnerability disclosure mechanisms: a synthesis and framework for market-based and non-market-based disclosures,” Decision Support Systems, vol. 148, pp. 113586–122021, 2021.
View at: Publisher Site | Google Scholar
G. Huskaj and R. L. Wilson, “Anticipatory ethics for vulnerability disclosure,” in Proceedings of the 15th International Conference on Cyber Warfare and Security (ICCWS), norfolk, Virginia, United States of America, March 2020.
View at: Google Scholar
J. Ruohonen, S. Rauti, S. Hyrynsalmi, and V. Leppänen, “A case study on software vulnerability coordination,” Information and Software Technology, vol. 103, pp. 239–257, 2018.
View at: Publisher Site | Google Scholar
V. Mookerjee, R. Mookerjee, A. Bensoussan, and W. T. Yue, “When hackers talk: managing information security under variable attack rates and knowledge dissemination,” Information Systems Research, vol. 22, no. 3, pp. 606–623, 2011.
View at: Publisher Site | Google Scholar
S. Mitra and S. Ransbotham, “Information disclosure and the diffusion of information security attacks,” Information Systems Research, vol. 26, no. 3, pp. 565–584, 2015.
View at: Publisher Site | Google Scholar
A. Stone, “Software flaws: to tell or not to tell?/open source in the US government,” Ieee Softw, vol. 20, no. 1, pp. 70–73, 2003.
View at: Publisher Site | Google Scholar
J. Ruohonen, S. Hyrynsalmi, and V. Leppanen, “A mixed methods probe into the direct disclosure of software vulnerabilities,” Computers in Human Behavior, vol. 103, pp. 161–173, 2020.
View at: Publisher Site | Google Scholar
A. Arya and B. Mittendorf, “The interaction among disclosure, competition between firms, and analyst following,” Journal of Accounting and Economics, vol. 43, no. 2-3, pp. 321–339, 2007.
View at: Publisher Site | Google Scholar
H. C. Subramanian and S. Malladi, “Bug bounty marketplaces and enabling responsible vulnerability disclosure: an empirical analysis,” Journal of Database Management, vol. 31, no. 1, pp. 38–63, 2020.
View at: Publisher Site | Google Scholar
G. Clinch and R. E. Verrecchia, “Competitive disadvantage and discretionary disclosure in industries,” Australian Journal of Management (University of New South Wales), vol. 22, no. 2, pp. 125–137, 1997.
View at: Google Scholar
Q. Xiong, S. Lian, Z. Zeng, R. He, B. Zhu, and X. Yang, “An empirical analysis of vulnerability information disclosure impact on patch R&D of software vendors,” Journal of Intelligent and Fuzzy Systems, vol. 44, no. 1, pp. 839–853, 2023.
View at: Publisher Site | Google Scholar
C. Anderson, R. L. Baskerville, and M. Kaul, “Information security control theory: achieving a sustainable reconciliation between sharing and protecting the privacy of information,” Journal of Management Information Systems, vol. 34, no. 4, pp. 1082–1112, 2017.
View at: Publisher Site | Google Scholar
A. Arora, R. Telang, and H. Xu, “Optimal policy for software vulnerability disclosure,” Management Science, vol. 54, no. 4, pp. 642–656, 2008.
View at: Publisher Site | Google Scholar
X. Gao, W. Zhong, and S. Mei, “Security investment and information sharing under an alternative security breach probability function,” Information Systems Frontiers, vol. 17, no. 2, pp. 423–438, 2015.
View at: Publisher Site | Google Scholar
K. Hausken, “Security investment, hacking, and information sharing between firms and between hackers,” Games, vol. 8, no. 2, p. 23, 2017.
View at: Publisher Site | Google Scholar
V. Mookerjee, R. Mookerjee, A. Bensoussan, and W. T. Yue, “When hackers talk: managing information security under variable attack rates and knowledge dissemination,” Information Systems Research, vol. 22, no. 3, pp. 606–623, 2011.
View at: Publisher Site | Google Scholar
H. Cavusoglu, H. Cavusoglu, and J. Zhang, “Security patch management: share the burden or share the damage?” Management Science, vol. 54, no. 4, pp. 657–670, 2008.
View at: Publisher Site | Google Scholar
S. Narang, P. K. Kapur, D. Damodaran, and A. K. Shrivastava, “Bi-criterion problem to determine optimal vulnerability discovery and patching time,” International Journal of Reliability, Quality and Safety Engineering, vol. 25, no. 01, Article ID 1850002, 2018.
View at: Publisher Site | Google Scholar

Copyright

Copyright © 2023 Qiang Xiong et al. This is an open access article distributed under the Creative Commons Attribution License, which permits unrestricted use, distribution, and reproduction in any medium, provided the original work is properly cited.

PDF Download Citation

Download other formats

Order printed copies