Impact of Vulnerability Disclosure and Patch Availability - An Empirical Analysis
作者: Anand Nandkumar , Ashish Arora , Rahul Telang , Ramayya Krishnan , H. John Heinz
DOI:
关键词:
摘要: Vulnerability disclosure is an area of public policy that has been subject to considerable debate, particularly between proponents full and instant disclosure, those limited or no disclosure. This paper attempt empirically test the impact vulnerability information availability patches on attackers’ tendency exploit vulnerabilities one hand vendors’ release other. Our results suggest while vendors are quick respond also increases frequency attacks. However, attacks decreases over time. We find open source patch more quickly than closed large responsive.
参考文章(8)
Stuart E. Schechter, Michael D. Smith, How Much Security Is Enough to Stop a Thief?: The Economics of Outsider Theft via Computer Systems and Networks. financial cryptography. pp. 122- 137 ,(2003)
Sarah Gordon, When Worlds Collide: Information Sharing for the Security and Anti-virus Communities ,(1999)
J. McHugh, W.L. Fithen, W.A. Arbaugh, Windows of vulnerability: a case study analysis IEEE Computer. ,vol. 33, pp. 52- 59 ,(2000) , 10.1109/2.889093
N.M. Kiefer, Economic duration data and hazard functions Journal of Economic Literature. ,vol. 26, pp. 646- 679 ,(1988)
Lawrence A. Gordon, Martin P. Loeb, Tashfeen Sohail, A framework for using insurance for cyber-risk management Communications of The ACM. ,vol. 46, pp. 81- 85 ,(2003) , 10.1145/636772.636774
Ashish Arora, Jonathan P. Caulkins, Rahul Telang, Sell First, Fix Later: Impact of Patching on Software Quality Social Science Research Network. ,(2003) , 10.2139/SSRN.670285
Kevin John Soo Hoo, Michael M. May, How much is enough? A risk management approach to computer security ,(2000)
Perry Wagle, Steve Beattie, Crispin Cowan, Seth Arnold, Chris Wright, Adam Shostack, Timing the Application of Security Patches for Optimal Uptime usenix large installation systems administration conference. pp. 233- 242 ,(2002)