Research

This paper examines the effect of competition intensity on software vendors’ security investments. We consider two aspects that reflect the competition intensity in a market: market concentration and the dominant position of a firm. We first develop a formal model of competition where the user demand depends only on product quality and investigate whether equilibrium levels of security quality increase as competition intensifies. Then, we test the model’s predictions using a 10-year pooled cross-sectional data set on web browser vulnerabilities discovered and patched from 2007 to 2016. Contrary to many empirical works examining the link between competition and quality, we find that market concentration is not necessarily harmful to quality provision: a higher market concentration positively impacts the vendor’s responsiveness in patching vulnerabilities, although this effect is reduced when the vendor is too dominant.

Le Règlement Général sur la Protection des Données (RGPD) arrive dans un contexte où l’usage des systèmes d’enchères en temps réel est généralisé et où le fonctionnement du marché de la publicité en ligne se caractérise par une grande interdépendance des acteurs ainsi que par la prédominance de deux acteurs sur toute la chaîne de valeur, Google et Meta (anciennement Facebook). Plus particulièrement, la création et l’adoption par les acteurs de l’industrie publicitaire d’une norme privée pour la gestion du consentement, le Transparency Consent Framework (TCF), est une manifestation claire d’un problème majeur auquel le RGPD doit faire face : réglementer l’usage des données personnelles dans un marché où la capacité à faire face aux nouvelles réglementations est proportionnelle à la capacité à générer, collecter, analyser et consolider les données. En étudiant le cas spécifique du marché de la publicité en ligne, nous nous interrogeons ici sur la manière dont les réglementations relatives aux données peuvent affecter la concurrence dans des marchés axées sur les données (« data-driven market »).

A bug bounty program, also called Vulnerability Research Program (VRP), is a form of crowdsourcing increasingly employed by modern companies to improve their system's security. It consists in offering monetary rewards to individuals that find new security flaws in a software or a system. 

One of the key challenges in the design of such contests is to attract enough participants while limiting the low quality participations. In this paper, we study how hackers' perception of the uncertainty to obtain a reward, determined by the level of information a contest provides about the contractual terms, affects the outcome of the contest both quantitatively (the number of participations) and qualitatively (participants' quality). Specifically, we examine how a hacker's choice to participate to a VRP depends on the level of information of its contractual terms.

Using an unbalanced panel data set on 156 bug bounty programs run on a well-known bug bounty platform, we find that more detailed contractual terms and in particular more information about the compensation scheme attract a greater number of participants. On the contrary, providing less detail induces less participation but attracts more performant and more experienced hackers. Hackers self-select whether to participate in a VRP according to the level of information provided in the contest's contractual terms, which leads to a trade-off between inducing more participation and attracting more valuable participants.

Around the debate on software vulnerability disclosure, existent works have mostly explored how disclosure gives an incentive to software vendors to better secure their software. The role of third parties such as business users, security firms, downstream software vendors or service providers is rarely taken account, while in fact these actors are increasingly involved in improving the security of a software. In this paper, we examine how the public disclosure of a critical vulnerability impacts not only the software vendor’s behavior but most of all that of other third parties.

Using data from 2009 to 2018 on vulnerabilities disclosed on SecurityFocus BugTraq, we compare how the contribution of each type of actors in finding new security flaws evolves for the software affected by a critical vulnerability announcement and for the others. We find that the overall number of discovered vulnerabilities indeed increases after the a highly publicized vulnerability announcement. While the software vendor contributes already much less than other actors to the discovery of new vulnerabilities, we observe that third parties are also much more sensible to the disclosure. Interestingly, security firms and individual researchers are more affected by the disclosure than end users and downstream vendors. We suggest that the disclosure of a critical vulnerability is perceived as a signal that the affected software may carry additional undiscovered vulnerabilities. This gives different types and degrees of incentives for each third parties to invest in the affected software’s security, which might explain why it affects them in different magnitudes.