Professor of Economics and Public Policy, Carnegie Mellon University, Pittsburgh; Measuring Innovation in the Twenty-First Century Advisory Committee to Secretary of Commerce, United States
A key aspect of better and more secure software is timely patch release by software vendors for the vulnerabilities in their products. Software vulnerability disclosure, which refers to the publication of vulnerability information, has generated intense debate. An important consideration in this debate is the behavior of software vendors. How quickly do vendors patch vulnerabilities and how does disclosure affect patch release time? This paper compiles a unique data set from the Computer Emergency Response Team/Coordination Center (CERT) and SecurityFocus to answer this question. Our results suggest that disclosure accelerates patch release. The instantaneous probability of releasing the patch rises by nearly two and a half times because of disclosure. Open source vendors release patches more quickly than closed source vendors. Vendors are more responsive to more severe vulnerabilities. We also find that vendors respond more slowly to vulnerabilities not disclosed by CERT. We verify our results by using another publicly available data set and find that results are consistent. We also show how our estimates can aid policy makers in their decision making.
We examine the question of which services are tradable within a concrete setting: the outsourcing of information technology (IT) services across a broad cross-section of establishments in the United States. If markets for IT services are local, then we should expect increases in local supply would increase the likelihood of outsourcing by lowering the cost of outsourcing. If markets are not local, then local supply will not affect outsourcing demand. We analyze the outsourcing decisions of a large sample of 99,775 establishments in 2002 and 2004, for two types of IT services--programming and design and hosting. Programming and design projects require communication of detailed user requirements whereas hosting requires less coordination between client and service provider than programming and design. Our empirical results bear out this intuition: the probability of outsourcing programming and design is increasing in the local supply of outsourcing, and this sensitivity to local supply conditions has been increasing over time. This suggests there is some nontradable or "local" component to programming and design services that cannot be easily removed. In contrast, the decision to outsource hosting is sensitive to local supply only for firms for which network uptime and security concerns are particularly acute.