{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,5,2]],"date-time":"2026-05-02T06:59:39Z","timestamp":1777705179377,"version":"3.51.4"},"reference-count":40,"publisher":"SAGE Publications","issue":"1","content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["IFS"],"published-print":{"date-parts":[[2023,1,5]]},"abstract":"<jats:p>The vulnerability patch R&amp;D has become an important part of information security governance. An effective collaboration with software vendors in patch R&amp;D is of great significance to reduce the existence time of information security risks. This works aims to explore the relationship between vulnerability information disclosure and patch R&amp;D of software vendors. The data regarding the vulnerability and software vendors is gathered from third-party vulnerability sharing platforms, including (China\u2019s national information security vulnerability database, CNNVD) and Tianyacha.com. Based on the theory of organizational information processing, linear regression model and Cox proportional risk regression model are built for appropriately addressing the research questions. The results show that the vulnerability disclosure of the third-party sharing platform can improve the patch R&amp;D probability of software vendors. The information processing requirements, such as vulnerability information attention, vulnerability score and whether vulnerabilities are disclosed in advance accelerate the vulnerability patch R&amp;D. The enterprise information processing capability indicators, including the industry dependence of software product customers and the staff size of software vendors accelerate the patch R&amp;D. The number of products affected by the vulnerabilities and the number of software copyrights of software vendors have no significant impact on patch R&amp;D.<\/jats:p>","DOI":"10.3233\/jifs-221316","type":"journal-article","created":{"date-parts":[[2022,9,30]],"date-time":"2022-09-30T12:19:38Z","timestamp":1664540378000},"page":"839-853","source":"Crossref","is-referenced-by-count":2,"title":["An empirical analysis of vulnerability information disclosure impact on patch R&amp;D of software vendors"],"prefix":"10.1177","volume":"44","author":[{"given":"Qiang","family":"Xiong","sequence":"first","affiliation":[{"name":"School of Management, Jiangsu University, Zhenjiang, P.R. China"}]},{"given":"Shuai","family":"Lian","sequence":"additional","affiliation":[{"name":"School of Management, Jiangsu University, Zhenjiang, P.R. China"}]},{"given":"Zhangying","family":"Zeng","sequence":"additional","affiliation":[{"name":"Department of Technology and Science, Jiangsu University, Zhenjiang, P.R. China"}]},{"given":"Runxin","family":"He","sequence":"additional","affiliation":[{"name":"Baidu USA LLC, Bordeaux Drive, Sunnyvale, California, USA"}]},{"given":"Binxin","family":"Zhu","sequence":"additional","affiliation":[{"name":"School of Management, Jiangsu University, Zhenjiang, P.R. China"}]},{"given":"Xinqi","family":"Yang","sequence":"additional","affiliation":[{"name":"School of Management, Jiangsu University, Zhenjiang, P.R. China"}]}],"member":"179","reference":[{"key":"10.3233\/JIFS-221316_ref1","first-page":"1","article-title":"Quantifying patch management","volume":"2","author":"Shostack","year":"2003","journal-title":"Secure Business Quarterly"},{"key":"10.3233\/JIFS-221316_ref2","doi-asserted-by":"crossref","first-page":"171","DOI":"10.1109\/TSE.2007.26","article-title":"Efficiency of vulnerability disclosure mechanisms to disseminate vulnerability knowledge","volume":"3","author":"Cavusoglu","year":"2007","journal-title":"IEEE Transactions on Software Engineering"},{"key":"10.3233\/JIFS-221316_ref4","doi-asserted-by":"crossref","first-page":"657","DOI":"10.1287\/mnsc.1070.0794","article-title":"Security patch management: share the burden or share the damage","volume":"4","author":"Cavusoglu","year":"2008","journal-title":"Management Science"},{"key":"10.3233\/JIFS-221316_ref7","doi-asserted-by":"crossref","first-page":"14","DOI":"10.1109\/MSP.2005.17","article-title":"Is finding security holes a good idea","volume":"3","author":"Rescorla","year":"2005","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JIFS-221316_ref11","first-page":"233","article-title":"Timing the application of security patches for optimal uptime","volume":"2","author":"Beattie","year":"2002","journal-title":"LISA"},{"key":"10.3233\/JIFS-221316_ref12","doi-asserted-by":"crossref","first-page":"726","DOI":"10.1287\/mnsc.1040.0357","article-title":"Market for software vulnerabilities? think again","volume":"5","author":"Kannan","year":"2005","journal-title":"Management Science"},{"key":"10.3233\/JIFS-221316_ref13","doi-asserted-by":"crossref","first-page":"544","DOI":"10.1109\/TSE.2007.70712","article-title":"An empirical analysis of the impact of software vulnerability announcements on firm stock price","volume":"8","author":"Telang","year":"2007","journal-title":"IEEE Transactions on Software Engineering"},{"key":"10.3233\/JIFS-221316_ref16","doi-asserted-by":"crossref","first-page":"115","DOI":"10.1287\/isre.1080.0226","article-title":"An empirical analysis of software vendors\u2019 patch release behavior: impact of vulnerability disclosure","volume":"1","author":"Arora","year":"2010","journal-title":"Information Systems Research"},{"key":"10.3233\/JIFS-221316_ref17","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1109\/MSP.2005.12","article-title":"Economics of software vulnerability disclosure","volume":"1","author":"Arora","year":"2005","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JIFS-221316_ref18","doi-asserted-by":"crossref","first-page":"278","DOI":"10.1016\/j.cose.2016.08.004","article-title":"Time between vulnerability disclosures: A measure of software product vulnerability","volume":"62","author":"Johnson","year":"2016","journal-title":"Computers & Security"},{"key":"10.3233\/JIFS-221316_ref19","doi-asserted-by":"crossref","first-page":"62","DOI":"10.1002\/qre.2380","article-title":"Coverage-based vulnerability discovery modeling to optimize disclosure time using multiattribute approach","volume":"1","author":"Kansal","year":"2019","journal-title":"Quality & Reliability Engineering International"},{"key":"10.3233\/JIFS-221316_ref20","doi-asserted-by":"crossref","first-page":"161","DOI":"10.1016\/j.chb.2019.09.028","article-title":"A mixed methods probe into the direct disclosure of software vulnerabilities","volume":"103","author":"Ruohonen","year":"2020","journal-title":"Computers in Human Behavior"},{"key":"10.3233\/JIFS-221316_ref21","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1080\/07421222.2003.11045841","article-title":"Information processing view of organizations: an exploratory examination of fit in the context of interorganizational relationships","volume":"1","author":"Premkumar","year":"2005","journal-title":"Journal of Management Information Systems"},{"key":"10.3233\/JIFS-221316_ref22","doi-asserted-by":"crossref","first-page":"39","DOI":"10.2307\/20721414","article-title":"An empirical analysis of the impact of information capabilities design on business process outsourcing performance","volume":"1","author":"Mani","year":"2010","journal-title":"Mis Quarterly"},{"key":"10.3233\/JIFS-221316_ref23","doi-asserted-by":"crossref","first-page":"613","DOI":"10.2307\/257550","article-title":"Information Processing as an Integrating Concept in Organizational Design","volume":"3","author":"Tushman","year":"1978","journal-title":"Academy of Management Review"},{"key":"10.3233\/JIFS-221316_ref24","doi-asserted-by":"crossref","first-page":"343","DOI":"10.1007\/s00766-013-0174-7","article-title":"A pattern-based method for establishing a cloud\u2014specific information security management system","volume":"4","author":"Beckers","year":"2013","journal-title":"Requirements Engineering"},{"key":"10.3233\/JIFS-221316_ref25","first-page":"367","article-title":"Improving the quality of information security management systems with ISO27000","volume":"4","author":"Sinha","year":"2011","journal-title":"The TQM Journal"},{"key":"10.3233\/JIFS-221316_ref26","doi-asserted-by":"crossref","first-page":"39","DOI":"10.2307\/20721414","article-title":"An empirical analysis of the impact of information capabilities design on business process outsourcing performance","volume":"1","author":"Mani","year":"2010","journal-title":"MIS Quarterly"},{"key":"10.3233\/JIFS-221316_ref27","doi-asserted-by":"crossref","first-page":"462","DOI":"10.1287\/ijoc.2014.0638","article-title":"Optimal policies for security patch management","volume":"3","author":"Dey","year":"2015","journal-title":"INFORMS Journal on Computing"},{"key":"10.3233\/JIFS-221316_ref28","doi-asserted-by":"crossref","first-page":"93","DOI":"10.1007\/s10676-004-1266-3","article-title":"Agents of responsibility in software vulnerability processes","volume":"6","author":"Takanen","year":"2004","journal-title":"Ethics and Information Technology"},{"key":"10.3233\/JIFS-221316_ref29","first-page":"43","article-title":"Are markets for vulnerabilities effective?","volume":"1","author":"Ransbotham","year":"2008","journal-title":"Mis Quarterly"},{"key":"10.3233\/JIFS-221316_ref30","doi-asserted-by":"crossref","first-page":"397","DOI":"10.2307\/23044049","article-title":"Correlated failures, diversification, and information security risk management","volume":"2","author":"Chen","year":"2011","journal-title":"MIS Quarterly"},{"key":"10.3233\/JIFS-221316_ref31","first-page":"31","article-title":"Review: understanding open source software development","volume":"1","author":"Amatya","year":"2018","journal-title":"ITNOW"},{"key":"10.3233\/JIFS-221316_ref32","doi-asserted-by":"crossref","first-page":"290","DOI":"10.1007\/s13235-013-0102-y","article-title":"Dynamic platform competition with malicious users","volume":"4","author":"Garcia","year":"2014","journal-title":"Dynamic Games Appl"},{"key":"10.3233\/JIFS-221316_ref33","first-page":"562","article-title":"Market value of voluntary disclosures concerning information security","volume":"3","author":"Gordon","year":"2010","journal-title":"MIS Quarterly"},{"key":"10.3233\/JIFS-221316_ref34","first-page":"1","article-title":"Vulnerability disclosure mechanisms: A synthesis and framework for market-based and non-market-based disclosures","volume":"1","author":"Ahmed","year":"2021","journal-title":"Decision Support Systems"},{"key":"10.3233\/JIFS-221316_ref35","doi-asserted-by":"crossref","first-page":"642","DOI":"10.1287\/mnsc.1070.0771","article-title":"Optimal policy for software vulnerability disclosure","volume":"4","author":"Arora","year":"2008","journal-title":"Management Science"},{"key":"10.3233\/JIFS-221316_ref36","first-page":"17","article-title":"What determines the Chinese firms\u2019 technological innovation\u2014\u2014A re-empirical investigation based on the previous empirical literature of nine chinese economics top journals and a-share listed company data","volume":"1","author":"Feng","year":"2021","journal-title":"China Industrial Economics"},{"key":"10.3233\/JIFS-221316_ref37","doi-asserted-by":"crossref","first-page":"139","DOI":"10.1023\/A:1022965830769","article-title":"Firm density and industry R&D intensity: theory and evidence","volume":"2","author":"Lee","year":"2003","journal-title":"Review of Industrial Organization"},{"key":"10.3233\/JIFS-221316_ref38","doi-asserted-by":"crossref","first-page":"289","DOI":"10.1023\/A:1019516424249","article-title":"Evolution, path dependence, learning and innovation: a review of four recent books","volume":"3","author":"Harding","year":"2002","journal-title":"Minerva"},{"key":"10.3233\/JIFS-221316_ref39","doi-asserted-by":"crossref","first-page":"67","DOI":"10.1093\/scipol\/38.1.67","article-title":"Are small, medium- and micro-sized enterprises engines of innovation? the reality in South Africa","volume":"1","author":"Booyens","year":"2011","journal-title":"Science & Public Policy (SPP)"},{"key":"10.3233\/JIFS-221316_ref40","first-page":"152","article-title":"Impact of the components of open business model on two-stage innovation performance of financial technology enterprises","volume":"6","author":"Zhang","year":"2020","journal-title":"R&D Management"},{"key":"10.3233\/JIFS-221316_ref41","doi-asserted-by":"crossref","first-page":"544","DOI":"10.1109\/TSE.2007.70712","article-title":"An empirical analysis of the impact of software vulnerability announcements on firm stock price","volume":"3","author":"Telang","year":"2007","journal-title":"IEEE Transactions on Software Engineering"},{"key":"10.3233\/JIFS-221316_ref42","doi-asserted-by":"crossref","first-page":"115","DOI":"10.1287\/isre.1080.0226","article-title":"An empirical analysis of software vendors\u2019 patch release behavior: impact of vulnerability disclosure","volume":"1","author":"Arora","year":"2010","journal-title":"Information Systems Research"},{"key":"10.3233\/JIFS-221316_ref43","doi-asserted-by":"crossref","first-page":"257","DOI":"10.1080\/07421222.2003.11045841","article-title":"Information processing view of organizations: an exploratory examination of fit in the context of interorganizational relationships","volume":"22","author":"Premkumar","year":"2005","journal-title":"Journal of Management Information Systems"},{"key":"10.3233\/JIFS-221316_ref44","doi-asserted-by":"crossref","first-page":"20","DOI":"10.1109\/MSP.2005.12","article-title":"Economics of software vulnerability disclosure","volume":"1","author":"Arora","year":"2005","journal-title":"IEEE Security & Privacy"},{"key":"10.3233\/JIFS-221316_ref45","first-page":"350","article-title":"Does information security attack frequency increase with vulnerability disclosure? An empirical analysis","volume":"5","author":"Arora","year":"2006","journal-title":"Information Systems Frontiers"},{"key":"10.3233\/JIFS-221316_ref46","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1145\/2630069","article-title":"Comparing vulnerability severity and exploits using case-control studies","volume":"1","author":"Allodi","year":"2014","journal-title":"Acm Transactions on Information & System Security"},{"key":"10.3233\/JIFS-221316_ref47","doi-asserted-by":"crossref","first-page":"109","DOI":"10.1007\/s11416-014-0205-z","article-title":"Modeling discovery and removal of security vulnerabilities in software system using priority queueing models","volume":"2","author":"Lim","year":"2014","journal-title":"Journal of Computer Virology & Hacking Techniques"},{"key":"10.3233\/JIFS-221316_ref49","doi-asserted-by":"crossref","first-page":"1147","DOI":"10.1109\/TSE.2014.2354037","article-title":"An empirical methodology to evaluate vulnerability discovery models","volume":"12","author":"Massacci","year":"2014","journal-title":"Software Engineering IEEE Transactions on"}],"container-title":["Journal of Intelligent &amp; Fuzzy Systems"],"original-title":[],"link":[{"URL":"https:\/\/content.iospress.com\/download?id=10.3233\/JIFS-221316","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2026,4,29]],"date-time":"2026-04-29T09:43:07Z","timestamp":1777455787000},"score":1,"resource":{"primary":{"URL":"https:\/\/journals.sagepub.com\/doi\/full\/10.3233\/JIFS-221316"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2023,1,5]]},"references-count":40,"journal-issue":{"issue":"1"},"URL":"https:\/\/doi.org\/10.3233\/jifs-221316","relation":{},"ISSN":["1064-1246","1875-8967"],"issn-type":[{"value":"1064-1246","type":"print"},{"value":"1875-8967","type":"electronic"}],"subject":[],"published":{"date-parts":[[2023,1,5]]}}}