Abstract

In this paper, we use the event study methodology to examine the role that financial markets play in determining the impact of vulnerability disclosures on software vendors. We collect data from leading national newspapers and industry sources by searching for reports on published software vulnerabilities. Our main result is that vulnerability disclosures do lead to a negative and significant change in market value for a software vendor. On average, a vendor loses around 0.6% value in stock price when a vulnerability is reported. To provide further insight, we use the information content of the disclosure announcement to classify vulnerabilities into various types. This is the first study to measure vendors’ incentive to develop secure software and also provides many interesting implications for software vendors as well as policy makers.

Download

Share

COinS