Disclose or Exploit? A Game-Theoretic Approach to Strategic Decision Making in Cyber-Warfare

Haipeng Chen, Qian Han, Sushil Jajodia, Roy Lindelauf, V. S. Subrahmanian*, Yanhai Xiong

*Corresponding author for this work

Research output: Contribution to journalArticlepeer-review

5 Scopus citations


Today, countries are engaged in the cyber-arms race. With over 16 K new hardware/software vulnerabilities reported in 2018 alone, an important question confronts senior government decision makers when their cyber-warfare units discover a new vulnerability. Should they disclose the vulnerability to the vendor who produced the vulnerable product? Or should they 'stockpile' the vulnerability, holding it for developing exploits (i.e., cyber-weapons) that can be targeted at an adversary? Choosing the first option may be important when the affected company is a corporation in the nation state that discovers the vulnerability and/or if that nation state would have a big exposure to that vulnerability. Choosing the second option has obvious advantages to the discovering nation's defense. We formulate the cyber-competition between countries as a repeated cyber-warfare game (RCWG), where two countries (players) compete over a series of vulnerabilities by deciding, at the time of vulnerability discovery, 1) whether to exploit or disclose it and 2) how long to exploit it if they decide to exploit. We define the equilibrium state of the RCWG as a pure strategy Nash equilibrium, and propose a learning-while-competing framework to compute the pure strategy Nash equilibrium of the formulated RCWG. Although testing our results with real data in the murky world of cyber-warfare is challenging, we were able to obtain real statistics from other sources and demonstrate the effectiveness of our proposed algorithm through a set of simulation results under different scenarios using these third-party statistics. We also report on our DiscX system that can help support government decision makers in their decision whether to disclose or exploit a vulnerability that they find.

Original languageEnglish (US)
Article number8967205
Pages (from-to)3779-3790
Number of pages12
JournalIEEE Systems Journal
Issue number3
StatePublished - Sep 2020
Externally publishedYes


  • Cyber-security
  • decision support system
  • game theory
  • national defense and security

ASJC Scopus subject areas

  • Control and Systems Engineering
  • Information Systems
  • Computer Science Applications
  • Computer Networks and Communications
  • Electrical and Electronic Engineering


Dive into the research topics of 'Disclose or Exploit? A Game-Theoretic Approach to Strategic Decision Making in Cyber-Warfare'. Together they form a unique fingerprint.

Cite this