To define a mathematical model to evaluate the impact of a vulnerability in an information infrastructure, we consider a zero sum game between an attacker and a defender, each allocating a fixed amount of resources to search for vulnerabilities. To prevent attacks, the resources allocated by the defender search for vulnerabilities to remove them. Instead, the attacker ones search for vulnerabilities to attack the infrastructure. Attacks results in a defender loss that, in the simplest case, is proportional to the time in-between the discovery of a vulnerability by an attacker resource and the discovery of the vulnerability by a defender one. We define conditions for Nash equilibrium where a player cannot improve its utility by changing its move only and show that the corresponding allocation requires a large defender investment with a low return. A condition is introduced to evaluate when open code components should be preferred.