Is there really a significant downside for software vendors whose products have security holes? Maybe. According to research [1] by Rahul Telang and Sunil Wattal at Carnegie Mellon University, a software vendor's stock loses about 0.63% of its share price on the day a vulnerability is announced. (Thanks to SecurityFocus's [2] Robert Lemos for reporting on this.)

According to the study of 146 vulnerability announcements over a five-year period, an average announcement costs $860 million in market capitalization. Severe vulnerabilities affect the stock price more than minor problems, and the price hit is bigger for disclosures before a patch is available (1.49%) compared to disclosures where there's a patch (0.37%).

And Microsoft [3] doesn't get hit as hard as other software vendors (0.28% average drop for Microsoft, 0.91% for others). The researchers don't say so, but that might be because Microsoft is part of so many indexes, and thus pension money goes to buy the stock on a regular basis no matter what.

Telang and Wattal haven't figured out whether the stock eventually recovers everything it loses due to the security-hole announcement. But at least they're doing real analysis to look at the problem, not just banging on a bully pulpit. [4]

And it sure does look like investors are paying attention to security problems.

(Those who have a taste for academic papers may also be interested in Telang's recent research on when the best time is for a vendor to announce security holes, [5] and whether paying a bounty to bug finders is a good idea. [6])