Optimal Security Patch Release Timing under Non-homogeneous Vulnerability-Discovery Processes

摘要

This paper proposes a patch management model with non-homogeneous vulnerability-discovery processes to find the optimal security patch release times. The proposed model is an extension of Cavusoglu et al. (2006, 2008) by applying non-homogeneous vulnerability-discovery processes which are based on a vulnerability life-cycle model, and provides the optimal schedule for security patch release times over a software life cycle by means of cost analysis. In numerical examples, we show that the optimal patch release policy becomes an aperiodic release strategy, and compare the minimum cost under the optimal policy with that under a periodic release strategy. In addition, based on opened vulnerability data, we illustrate the optimal security patch release policy for a real software product.