Signal Game Analysis between Software Vendors and Third-Party Platforms in Collaborative Disclosure of Network Security Vulnerabilities

Abstract

The global network threat is becoming more and more serious, and network security vulnerability management has become one of the critical areas in the national information security emergency system construction. To guide the third-party sharing platforms regarding network security vulnerability management, this work constructs a signal game model comprising third-party vulnerability sharing platforms and software vendors for vulnerability collaborative disclosures. In addition, we analyze the game strategy selection and its influencing factors. The results show that there are two perfect Bayesian equilibria, including separation equilibrium and mixed equilibrium, due to the incomplete lines of information disclosure. The equilibrium state is mainly based on the compression time of the protection period and the existence ratio of the software vendors who develop the patches in the market. This work puts forward some suggestions in terms of the protection period, reputation loss, and relevant laws and regulations.