Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures

Abstract

Vulnerability disclosure has been a controversial topic among scholars and practitioners. Most scholars agree on adopting the responsible disclosure practices for vulnerability disclosures, which give firms a protected period to address the vulnerability before public disclosure is made. However, the firms may not fully utilize the protected period resulting in financial and reputational losses. The recent popularity in market-based disclosure methods such as bug bounty programs has provided new methods to control ethical hackers and effectively manage the disclosure timelines. Through a systematic literature review, we investigate and identify various vulnerability disclosure mechanisms and elaborate the disclosure process of each mechanism. We synthesize and compare the antecedents and consequences of the vulnerability disclosure under market- and non-market-based disclosure mechanisms by proposing two research frameworks. Our analysis suggests that incentivizing hackers in market mechanisms change hackers' motivations, leading to behavioral changes and eventually giving firms more control over the disclosure process. Additionally, our research frameworks provide a basis for further theorizing in this area. We also identify several open research questions addressing issues and challenges in the market-based disclosures. The research has important implications for firms, hackers, policymakers, and researchers in this area.