Determinants of Software Vulnerability Disclosure Timing

The timing of vulnerability disclosures (by vulnerability discoverers) has significant implications for software producers and users. Immediate disclosure (before a patch becomes available) could result in exploits with subsequent harm to installed systems. Therefore, it is important to understand the determinants of this timing. In this study, we investigate the impacts of (i) the perception of the vulnerability discoverer about the software producer, (ii) the type of vulnerable software, and (iii) the severity of the vulnerability, on a vulnerability discoverer's choice of disclosure timing. We collect data from three different sources and control for the vulnerability discoverer's motivations and beliefs. Our results indicate that those who perceive a software producer to be timely in its patch release, reward it by delaying the disclosure. We also find that it is more likely that the disclosure is delayed for open source software and it is less likely that the disclosure is delayed for more severe vulnerabilities. The findings of this study are relevant to software producers in their decision-making process on resource allocation for software patches and should also help policy-makers to devise regulations relevant to the timing of disclosures and patch releases. Furthermore, these findings could be relevant to software consumers searching for a particular software product that they would like to use. This study attempts to provide insights into an ongoing discussion in the operations management community regarding how to allocate and divide resources between software development and software maintenance.