NETWORK SECURITY: VULNERABILITIES AND DISCLOSURE POLICY*
研究软件厂商在发现漏洞后面临的披露困境,分析自愿披露、强制披露和漏洞奖励计划的条件与影响,帮助理解安全政策的经济逻辑。
Software security is a major concern for vendors, consumers and regulators. When vulnerabilities are discovered after the software has been sold to consumers, the firms face a dilemma. A policy of disclosing vulnerabilities and issuing updates protects only consumers who install updates, while the disclosure itself facilitates reverse engineering of the vulnerability by hackers. The paper considers a firm that sells software which is subject to potential security breaches and derives the conditions under which a firm would disclose vulnerabilities. It examines the effect of a regulatory policy that requires mandatory disclosure of vulnerabilities and a ‘bug bounty’ program.