Should Software Makers Be Liable For Security Holes?

from the back-to-the-big-question dept

In the wake of the Slammer worm, here’s an editorial piece from the San Jose Mercury News repeating the popular position from Bruce Schneier that software makers need to be held liable when there are security holes in their products. He repeats the claim that this would also open up a whole new area of insurance protection, which would put pressure on software companies to improve their security. I can see how this could help improve security, but I can also see how it would stifle small, indepenedent (and individual) software developers by adding a ridiculous cost layer on top of creating the actual software. It would also bring up questions about who gets sued for a security hole in open source software. What about software that is set up incorrectly? Then is it the software company’s fault or the company that set it up? I think it’s easier to just hold companies responsible to the claims they put forth. If they claim a product is “trustworthy” or “unbreakable”, and it isn’t – then, there’s a case for liability. However, if no such claims are made, it’s tough to enforce liability. Update: Meanwhile, in somewhat related news, the price of hacker insurance is soaring, as it is often no longer covered by general liability insurance.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “Should Software Makers Be Liable For Security Holes?”

Subscribe: RSS Leave a comment
Adam Barr says:

how would liability have worked in this case?

In this particular case, Microsoft had issued a patch for the problem six months before. So would they still have been liable for Slammer?

I don’t know the exact laws about product safety, but I think if a product has been recalled, and the manufacturer has made it reasonably easy for people to replace the item or correct the problem, then they are more-or-less immune from fault from then on (modulo the fact that in the US, you can sue anyone for anything at anytime). Making a free patch available over the Internet would seem to qualify as making it “reasonably easy” to fix the software.

Sure there are tons of patches and its a pain to apply them etc., and Microsoft has huge holes in its software development process that need to be fixed — but what else could the company have done in this case, once the software was out there with the bug in it?

– adam

Agent Orange (user link) says:

Re: how would liability have worked in this case?

Umm… I don’t know, maybe not blame their customers right off the bat? They got hit as well, so I suppose they could also file a claim with their insurance against themselves to recover their own damages.

God, I hope they don’t read that – they could find a whole new way to get insance profits from their software.

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...