Security market: incentives for disclosure of vulnerabilities

A previous paper by the author proposed a model for when disclosure helps or hurts security, and provided reasons why computer security is often different in this respect than physical security. This paper examines the incentives of actors to disclose vulnerabilities. A chief point of this paper is that the incentives of disclosure depend on two, largely independent, assessments - the degree to which disclosure helps or hurts security, and the degree to which disclosure creates advantages or disadvantages for the organization competitively.The paper presents a 2x3 matrix, where disclosure for security and competition are assessed for three types of systems or software: Open Source; proprietary software; and government systems. Surprisingly, the paper finds significant convergence on disclosure between Open Source and proprietary software. For instance, Open Source security experts often do not disclose configurations and settings, and Open Source programmers often rely on trade secrets (i.e., lack of disclosure) to gain competitive advantage. Similarly, proprietary software often uses more disclosure than assumed. For security, large purchasers and market forces often lead to disclosure about proprietary software. For competitive reasons, proprietary software companies often disclose a great deal in order to seek to become a standard in a competitive space.Despite this greater-than-expected convergence of practice for Open Source and proprietary software, there are strong reasons to believe that less-than-optimal disclosure happens for government systems. The tradition of military secrecy, and the concern about tipping off attackers, leads to a culture of secrecy for government security. Competition for turf, such as the FBI's reputation for not sharing with local law enforcement, further reduces agency incentives to share information about vulnerabilities.