Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures

Ali Ahmed, Amit Deokar, Ho Cheung Brian Lee

Research output: Contribution to journalArticlepeer-review

Abstract

Vulnerability disclosure has been a controversial topic among scholars and practitioners. Most scholars agree on adopting the responsible disclosure practices for vulnerability disclosures, which give firms a protected period to address the vulnerability before public disclosure is made. However, the firms may not fully utilize the protected period resulting in financial and reputational losses. The recent popularity in market-based disclosure methods such as bug bounty programs has provided new methods to control ethical hackers and effectively manage the disclosure timelines. Through a systematic literature review, we investigate and identify various vulnerability disclosure mechanisms and elaborate the disclosure process of each mechanism. We synthesize and compare the antecedents and consequences of the vulnerability disclosure under market- and non-market-based disclosure mechanisms by proposing two research frameworks. Our analysis suggests that incentivizing hackers in market mechanisms change hackers' motivations, leading to behavioral changes and eventually giving firms more control over the disclosure process. Additionally, our research frameworks provide a basis for further theorizing in this area. We also identify several open research questions addressing issues and challenges in the market-based disclosures. The research has important implications for firms, hackers, policymakers, and researchers in this area.

Original languageEnglish (US)
Article number113586
JournalDecision Support Systems
DOIs
StateAccepted/In press - 2021

All Science Journal Classification (ASJC) codes

  • Management Information Systems
  • Information Systems
  • Developmental and Educational Psychology
  • Arts and Humanities (miscellaneous)
  • Information Systems and Management

Fingerprint

Dive into the research topics of 'Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures'. Together they form a unique fingerprint.

Cite this