To disclose or not? An analysis of software user behavior

We address the ongoing debates over disclosing information about software vulnerabilities through an open public forum. A game-theoretic approach is used to show that full public disclosure can be an equilibrium strategy in a game played by rational loss-minimizing agents. We provide conditions under which full disclosure of vulnerabilities improves social welfare and analyze the effect of vendor and product characteristics, as well as the composition of the pool of software users on the decisions to disclose. We also provide conditions under which user threats to vendors to disclose after a grace period or users' ability to develop fixes themselves further improve welfare. The likelihood that user-developed fixes improve welfare increases with user familiarity with the details of software, providing an argument for “open source” software.