To Disclose or Not? An Analysis of Software User Behavior

Abstract

This paper addresses the ongoing debate over disclosing information about software vulnerabilities through an open forum. Using a game-theoretic approach, we show that full public disclosure may be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full public disclosure of vulnerabilities is desirable from a social welfare standpoint. We analyze the effect of several vendor and product characteristics and the composition of the pool of software users on the decisions to disclose and on social welfare. We also examine models in which users spend effort to develop a fix or threaten vendors to disclose after a grace period. We show that to the extent that users are able to develop fixes for discovered vulnerabilities without inordinate effort, welfare is further improved. This is more likely the more familiar users are with the details of software providing an argument for "open source" software.