Arora et al 2008: An Empirical Analysis of Software Vendors’ Patch Release Behavior: Impact of Vulnerability Disclosure
A. Arora, R Krishnan, R Telang, Y Yang (2008) "An Empirical Analysis of Software Vendors’ Patch Release Behavior: Impact of Vulnerability Disclosure", Information Systems Research (ISR), 21(1), 115-132
I read this article because of its consideration of open source software (OSS), even though is considered in only one hypothesis; the paper was nonetheless quite interesting and valuable.
- Rationale: Because of the high volume of security vulnerabilities in software, it is very important for software vendors to create and release patches to their customers as soon as possible once they become aware of such vulnerabilities. One factor that could affect the speed of the release of a patch is if the vulnerability is publicly disclosed. Such public disclosure enables malicious programmers to exploit the vulnerability, to the harm of the vendors' clientele.
- Objectives: This study empirically investigates various factors that affect how rapidly a software vendor releases a patch for their software once a vulnerability is publicly disclosed.
- Theoretical background: The theory is based partly on research streams in software quality, but mostly on the economics of information security, particularly regarding the implications of "vulnerability disclosure and vendor patch release" (p. 117).
- Key questions: H1: Public disclosure speeds up patch release. H2: "Larger vendors release patches faster" (p. 119). H3: Severity of the vulnerability speeds up patch release. H4: Vendors respond faster to CERT (Community Emergency Response Team) vulnerability disclosures. H5: "Open source vendors release patches faster" (p. 119).
- Methodology: The study uses a conditional or proportional hazard model (from management science and economics) "that estimates how disclosure affects the probability of the vendor releasing a patch, given that the vendor has not released patch until then" (p. 124). I don't understand the mathematics of this methodology; it was new for me.
- Variables and data sources: The dependent variable was the number of days after disclosure it took to patch a vulnerability. The independent variables were the severity of the vulnerability, the source of the publication (CERT or SecurityFocus), size of the vendor, and whether or not the vendor was an OSS vendor. Other variables were also measured. Data came from CERT and SecurityFocus reported vulnerabilities. For external validity, data on Microsoft vulnerabilities from Brian Krebs was also used.
- Key findings: Public disclosure strongly increased patch release time. Vendor size was not significant, but the severity of the vulnerability was. Vulnerabilities disclosed by CERT were patched faster. OSS vendors released patches faster. The external validity on Microsoft vulnerabilities corroborated these findings.
- Key contribution to knowledge: This paper empirically demonstrates that public disclosure of vulnerabilities (as opposed to merely the threat of disclosure) does indeed increase the speed of the release of patches. It also demonstrates that OSS vendors do indeed release patches faster than vendors of proprietary software.
- Key implications: The authors caution that although disclosure does increase the speed of patch release, the potential harm to customers must be considered; one cannot surmise from these findings that it is therefore beneficial to always disclose vulnerabilities. For OSS, this study supports the claim of one element of superior post-sales support: the speed of patch release for disclosed vulnerabilities.