A new ENISA report aims to provide a glimpse into the costs, incentives, and impact related to discovering and disclosing vulnerabilities in information security.
In addition, the report addresses economic factors, incentives and motivations that influence the behaviour of the different vulnerability disclosure actors, as well as two case studies of recently disclosed high-profile vulnerabilities that illustrate how the process occurs.
The full report can be accessed here.
The analysis presented in this report will be useful to all the key stakeholders involved or affected to some extent by a vulnerability disclosure in a software or hardware component or system, including researchers, consumers, vendors, vulnerability coordinators and brokers, regulators, managers, information security experts and officers. The report builds upon the ’ENISA good practice guide on vulnerability disclosure’ published in 2016.
The Executive Director of ENISA Udo Helmbrecht commented: “Economics is a key driver of modern security and economic considerations often determine the decision of approaches to be taken when resolving issues. This report perfectly illustrates this fact and provides valuable insight into why different actors behave as they do in the vulnerability disclosure space.”
Vulnerability disclosure refers to the process of identifying, reporting and patching weaknesses of software, hardware or service that can be exploited. The different actors within a vulnerability disclosure process are subject to a range of economic considerations and incentives that may influence their behaviour.
These economic aspects of vulnerability disclosure are often overlooked and poorly understood, but may help explain why some vulnerabilities are disclosed responsibly while others are not.