Should Software Makers Be Liable For Security Holes?
from the back-to-the-big-question dept
In the wake of the Slammer worm, here’s an editorial piece from the San Jose Mercury News repeating the popular position from Bruce Schneier that software makers need to be held liable when there are security holes in their products. He repeats the claim that this would also open up a whole new area of insurance protection, which would put pressure on software companies to improve their security. I can see how this could help improve security, but I can also see how it would stifle small, indepenedent (and individual) software developers by adding a ridiculous cost layer on top of creating the actual software. It would also bring up questions about who gets sued for a security hole in open source software. What about software that is set up incorrectly? Then is it the software company’s fault or the company that set it up? I think it’s easier to just hold companies responsible to the claims they put forth. If they claim a product is “trustworthy” or “unbreakable”, and it isn’t – then, there’s a case for liability. However, if no such claims are made, it’s tough to enforce liability. Update: Meanwhile, in somewhat related news, the price of hacker insurance is soaring, as it is often no longer covered by general liability insurance.