Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures

Vulnerability disclosure has been a controversial topic among scholars and practitioners. Most scholars agree on adopting the responsible disclosure practices for vulnerability disclosures, which give firms a protected period to address the vulnerability before public disclosure is made. However, the firms may not fully utilize the protected period resulting in financial and reputational losses. The recent popularity in market-based disclosure methods such as bug bounty programs has provided new methods to control ethical hackers and effectively manage the disclosure timelines. Through a systematic literature review, we investigate and identify various vulnerability disclosure mechanisms and elaborate the disclosure process of each mechanism. We synthesize and compare the antecedents and consequences of the vulnerability disclosure under market- and non-market-based disclosure mechanisms by proposing two research frameworks. Our analysis suggests that incentivizing hackers in market mechanisms change hackers' motivations, leading to behavioral changes and eventually giving firms more control over the disclosure process. Additionally, our research frameworks provide a basis for further theorizing in this area. We also identify several open research questions addressing issues and challenges in the market-based disclosures. The research has important implications for firms, hackers, policymakers, and researchers in this area.

© This manuscript version is made available under the CC-BY-NC-ND 4.0 license https://creativecommons.org/licenses/by-nc-nd/4.0/

Files

Metadata

Work Title Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures
Access
Open Access
Creators
  1. Ali Ahmed
  2. Amit Deokar
  3. Ho Cheung Brian Lee
Keyword
  1. Vulnerability disclosure
  2. Bug bounty
  3. Systematic literature review
  4. Vulnerability markets
  5. Information security economics
License CC BY-NC-ND 4.0 (Attribution-NonCommercial-NoDerivatives)
Work Type Article
Publisher
  1. Decision Support Systems
Publication Date July 7, 2021
Publisher Identifier (DOI)
  1. https://doi.org/10.1016/j.dss.2021.113586
Deposited May 10, 2024

Versions

Analytics

Collections

This resource is currently not in any collection.

Work History

Version 1
published

  • Created
  • Added Manuscript_1_DECSUP-D-20-01530R1-1.pdf
  • Added Creator Ali Ahmed
  • Added Creator Amit Deokar
  • Added Creator Ho Cheung Brian Lee
  • Published
  • Updated
  • Updated Keyword, Publication Date Show Changes
    Keyword
    • Vulnerability disclosure, Bug bounty, Systematic literature review, Vulnerability markets, Information security economics
    Publication Date
    • 2021-05-05
    • 2021-07-07