An empirical analysis of vulnerability information disclosure impact on patch R&D of software vendors

Abstract

The vulnerability patch R&D has become an important part of information security governance. An effective collaboration with software vendors in patch R&D is of great significance to reduce the existence time of information security risks. This works aims to explore the relationship between vulnerability information disclosure and patch R&D of software vendors. The data regarding the vulnerability and software vendors is gathered from third-party vulnerability sharing platforms, including (China’s national information security vulnerability database, CNNVD) and Tianyacha.com. Based on the theory of organizational information processing, linear regression model and Cox proportional risk regression model are built for appropriately addressing the research questions. The results show that the vulnerability disclosure of the third-party sharing platform can improve the patch R&D probability of software vendors. The information processing requirements, such as vulnerability information attention, vulnerability score and whether vulnerabilities are disclosed in advance accelerate the vulnerability patch R&D. The enterprise information processing capability indicators, including the industry dependence of software product customers and the staff size of software vendors accelerate the patch R&D. The number of products affected by the vulnerabilities and the number of software copyrights of software vendors have no significant impact on patch R&D.