Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures
Vulnerability disclosure has been a controversial topic among scholars and practitioners. Most scholars agree on adopting the responsible disclosure practices for vulnerability disclosures, which give firms a protected period to address the vulnerability before public disclosure is made. However, the firms may not fully utilize the protected period resulting in financial and reputational losses. The recent popularity in market-based disclosure methods such as bug bounty programs has provided new methods to control ethical hackers and effectively manage the disclosure timelines. Through a systematic literature review, we investigate and identify various vulnerability disclosure mechanisms and elaborate the disclosure process of each mechanism. We synthesize and compare the antecedents and consequences of the vulnerability disclosure under market- and non-market-based disclosure mechanisms by proposing two research frameworks. Our analysis suggests that incentivizing hackers in market mechanisms change hackers' motivations, leading to behavioral changes and eventually giving firms more control over the disclosure process. Additionally, our research frameworks provide a basis for further theorizing in this area. We also identify several open research questions addressing issues and challenges in the market-based disclosures. The research has important implications for firms, hackers, policymakers, and researchers in this area.
© This manuscript version is made available under the CC-BY-NC-ND 4.0 license https://creativecommons.org/licenses/by-nc-nd/4.0/
Files
Metadata
Work Title | Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures |
---|---|
Access | |
Creators |
|
Keyword |
|
License | CC BY-NC-ND 4.0 (Attribution-NonCommercial-NoDerivatives) |
Work Type | Article |
Publisher |
|
Publication Date | July 7, 2021 |
Publisher Identifier (DOI) |
|
Deposited | May 10, 2024 |
Versions
Analytics
Collections
This resource is currently not in any collection.