An Empirical Analysis of Software Vendors' Patch Release Behavior: Impact of Vulnerability Disclosure
Ashish Arora,
Ramayya Krishnan,
Rahul Telang,
Yubao Yang
H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
H. John Heinz III College, Carnegie Mellon University, Pittsburgh, Pennsylvania 15213
ashish{at}andrew.cmu.edu
rk2x{at}andrew.cmu.edu
rtelang{at}andrew.cmu.edu
yubaoy{at}andrew.cmu.edu
A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from CERT and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
Key Words: security vulnerability; disclosure policy; patch release time; open source vendors; information security; software vendors; hazard model
History: This paper was received on November 1, 2006.
Copyright © 2009 by INFORMS.
