The Effects of Vulnerability Disclosure Policy on the Diffusion of Security Attacks

摘要

With the nearly instantaneous spread of information in modern society, policies regarding the disclosure of information about security vulnerabilities have become the focus of significant discussion. The fundamental debate centers on tradeoffs inherent in disclosing information that security professionals need, but that can also be used for nefarious purposes. Our empirical study compares attacks based on software vulnerabilities disclosed through full disclosure and limited disclosure mechanisms. We find that full disclosure accelerates the diffusion of attacks and increases the risk of first attack after the vulnerability is reported. Building off our theoretical insights, we discuss the implications of our findings on information disclosure in more general contexts.