You are advising a software firm on developing appropriate disclosure policies. You spend some time analyzing the past data that the firm has made available to you and come up with the following numbers for a typical software product.
There are on average about a million customers using the product and they would lose on average $100 each if attacker can exploit it. The vendor cares only about 50% of its customer loss. When vulnerability is reported to you, if you ask the vendor to provide a patch within a week (LOW), the vendor can provide the patch at the cost of $500,000. In this case, only 0.1% of the users will suffer loss. If you ask the vendor to provide a patch within two weeks (MEDIUM) then they can provide the patch for $250,000 but by that time many exploit tools would become available increasing the probability that the 0.4% of the users will suffer breaches and loss. Finally, if you ask the vendor to provide a patch in a month, (HIGH) then it costs them only $100,000 but 1% of the users will suffer loss.
Assume that customers patch their systems as soon as the patch becomes available.
When will vendor issue the patch if the vendor is free to decide?
As the firm, when would you like vendor to issue the patch?