Bi-Criterion Problem to Determine Optimal Vulnerability Discovery and Patching Time
In the last decade, we have seen enormous growth in software security related problems. This is due to the presence of bad guys who keep eye on the software vulnerabilities and create the security breach. Because of which software firms face huge loss. The problems of the software firms is two folded. One is to decide the optimal discovery time of the software vulnerability and another one is to determine the optimal patching time of those discovered vulnerability. Optimal discovery time of vulnerability is necessary as not disclosing the vulnerability on time may cause serious loss in the coming future. On the other hand, after discovering the vulnerabilities, it is more important to fix them too. Fixing of vulnerabilities is done by patching. But when to patch the vulnerabilities is also a great concern for the software firms. As delay in patch may cause more breaches in security and disadoption of the software and early patching early may reduce the risk but bad patching may increase the risk of security breach even after remedial patch release. In the current work, we have proposed a bi-criterion framework to minimizing cost and risk together under risk and budgetary constraints to determine the optimal vulnerability discovery and patching time. The proposed model is validated using real life data set.