Author(s)
Source
Journal of Industrial Economics, Vol. 58, pp. 868-894, 2010
Summary
This paper asks if software firms should be required to tell customers about security flaws (“mandatory disclosure”).
Policy Relevance
The authors show that requiring firms to disclose security bugs is sometimes helpful to consumers, but not always. A "bug bounty" program is always helpful.
Main Points
-
Limits on the benefits of disclosure include alerting hackers to a potential weakness, a tendency to raise product prices, and the cost to consumers of installing and testing a patch.
-
Firms tend to disclose when hackers are very likely to attack, because disclosure is unlikely to increase the chance of attack. Hackers are more likely to attack when the damage is high.
-
Firms limit vulnerability to hackers before software is released by reducing flaws. The paper shows this can help consumers and increase profits. But more investment pre-release makes it more likely a firm will not disclose flaws post-release, making consumers less well off.
-
Firms limit vulnerability after a software release by finding flaws before hackers, perhaps by offering a bounty to others who discover bugs. More investment in this type of control makes it more likely that a firm will disclose, making consumers better off.
-
The authors conclude that “bug bounties” are always helpful. A mandatory disclosure policy is helpful when attack is very likely and the damage small, but:
-
is harmful if attack is moderately likely and damage moderate
-
has no effect when attack is very likely and damage large