Toward a Theory of Vulnerability Disclosure Policy: A Hacker’s Game

Access full-text files




Canaan, Taylor J.

Journal Title

Journal ISSN

Volume Title



A game between software vendors, heterogeneous software users, and a hacker is introduced in which software vendors attempt to protect software users by releasing updates, i.e. disclosing a vulnerability, and the hacker is attempting to exploit vulnerabilities in the software package to attack the software users. The software users must determine whether the protection offered by the update outweighs the cost of installing the update. Following the model is a description of why the disclosure of vulnerabilities can only be an optimal policy when the cost to the hacker of searching for a Zero-Day vulnerability is small. The model is also extended to discuss Microsoft’s new “extended support” disclosure policy.



By first understanding the behavioral consequences of policy changes in cyberspace, we are better able to defend and understand the increasingly connected world in which we live. One of the greatest drivers of human progress in the last couple of decades is the ability to access technology and the internet, but how we enforce cybersecurity is a pressing problem. Cybersecurity requires an interdisciplinary approach to solve the many problems in fields such as fintech, cyber crime, human rights violations, e-commerce, etc. How individual freedoms can be preserved while human progress can be advanced within cyberspace is the focus of the research within this initiative.

LCSH Subject Headings