Key factors impacting on response time of software vendors in releasing patches for software vulnerabilities

Key factors impacting on response time of software vendors in releasing patches for software vulnerabilities

Software vulnerabilities are a major problem for organizations and society given how pervasive the use of computers and the Internet and networks has become. Computers, the Internet and networks in general are underpinned by operating system software and, increasingly, software applications are integrated with the Internet. In this increasingly complex environment hackers and attackers are more likely to take advantage of software vulnerabilities and exploit operating system software and application software. These software exploitations can result in huge losses to businesses which are highly reliant on computerized systems. Software vendors are responsible for securing these vulnerabilities through software patching. This study examines the effect of the level of criticality of software vulnerabilities, type of software vendor and type of software on the software vendors‘ response time in releasing software patches once software vendors have been informed of vulnerabilities in their software.

The main theoretical support for this study is software security disclosure theory and an economic model of software security investment. These theories provide a framework for understanding how open source versus proprietary software vendors respond with patches to software vulnerabilities depending on the level of criticality of the software vulnerability and the type of software.

Empirical data was collected from four related software vulnerability databases: SecurityFocus, Open Source Vulnerability Database, National Vulnerability Database and Secunia. These four software vulnerability databases contain archival data about software vulnerabilities which has been rigorously collected and screened. This research focuses on software vulnerabilities that have been recently reported in these software vulnerability databases from 2008 to 2010. To test the hypothesised relationships in the proposed research model, multiple regression analysis is used as the main statistical tool.

Analysis of the archival data confirms that software vendors release patches for software vulnerabilities with a medium level of criticality in a shorter response time
than software vulnerabilities with low and high levels of criticality once the vendor has been informed of the software vulnerability. Open source vendors release patches for open source software vulnerabilities 39% quicker than proprietary source vendors release patches for proprietary software. Patches for operating system software vulnerabilities are released 8% slower than patches for application software vulnerabilities.

This study contributes to the existing knowledge and theory by investigating how the different levels of criticality of software vulnerabilities, the differences between open and proprietary source software vendors and the difference between operating system software and application software impact on the response time of software vendors in releasing patches once the software vendor is informed of software vulnerabilities. The findings of this study also establish that responsible disclosure is a more effective mechanism than full disclosure for determining the response time of software vendors. This study contributes to practice by providing an enhanced understanding of the software vulnerability landscape and the complex process of software vendors‘ patching behaviour.