ABSTRACT: Software vulnerabilities have become a serious concern because unpatched software runs the risk of being exploited by hackers. There is a need for software vendors to make software patches available in a timely manner for vulnerabilities in their products. We develop a survival analysis model of software vendors' patch release behavior and test it using a data set compiled from the National Vulnerability Database, United States Computer Emergency Readiness Team, and vendor Web sites. This model helps to understand how factors specific to vulnerabilities, patches, software vendors, and software affect the patch release behavior of software vendors based on their cost structure. This study also analyzes the impact of the presence of multiple vendors and type of vendor on the patch release behavior of software vendors. Our results indicate that vulnerabilities with high confidentiality impact or high integrity impact are patched faster than vulnerabilities with high availability impact. Interesting differences in the patch release behavior of software vendors based on software type (new release versus update) and type of vendor (open source versus proprietary) are found. Our results illustrate that when there are legislative pressures, vendors react faster in patching vulnerabilities. Thus, appropriate regulations can be an important policy tool to influence vendor behavior toward socially desirable security outcomes.
Key words and phrases: patch quality, patch release time, patch types, software vendor types, software vulnerability characteristics, survival analysis