Economic and policy implications of restricted patch distribution

In this paper, we study how restricting the availability of patches to legal users impacts the vendor's profits, market share, software maintenance decisions, and welfare outcomes. Prior work on this topic assumes that the hacker's effort is independent of the vendor's decision to release the patch freely or not. Clearly, if the patch is not available to everyone, the hacker finds it easier to exploit the vulnerability in the product and, as a result, is likely to alter his effort. To understand the role of a strategic hacker, we build a game-theoretic model, where the hacker's decision is endogenous. With this model, we find that the hacker's effort may, on the one hand, decrease the utility that the vendor can extract from the consumers but, on the other hand, may help differentiate the legal version of the product from the pirated version. A vendor can strategically exploit the hacker's behavior in its pricing and software maintenance decisions. The endogeneity of the hacker's actions drives several of our findings that have interesting policy implications. For example, the vendor may increase the price and reduce market share to exploit the differentiation. In such a case, there may be more pirates in the restricted-patch case than when the patch is freely available, a result that rims counter to typical arguments provided for restricting patches. Keywords: information security; patch distribution; countervailing incentive; public policy History: Received January 7, 2013; accepted December 21, 2014, by Chris Forman, information systems. Published online in Articles in Advance March 2, 2016.
1. Introduction Software vendors have restricted the availability of patches only to legal users because of piracy concerns. Windows Genuine Advantage from Microsoft and Adobe Genuine Software are examples of [...]