Forgot your password?
Crime Programming The Courts

Should Developers Be Sued For Security Holes? 550

Posted by samzenpus
from the who's-to-blame dept.
An anonymous reader writes "A Cambridge academic is arguing for regulations that allow software users to sue developers when sloppy coding leaves holes for malware infection. European officials have considered introducing such a law but no binding regulations have been passed. Not everyone agrees that it's a good idea — Microsoft has previously argued against such a move by analogy, claiming a burglary victim wouldn't expect to be able to sue the manufacturer of the door or a window in their home."
This discussion has been archived. No new comments can be posted.

Should Developers Be Sued For Security Holes?

Comments Filter:
  • Bad Analogy (Score:5, Informative)

    by ZombieEngineer (738752) on Thursday August 23, 2012 @06:46PM (#41102861)

    You can not sue a door or window manufacturer for failure of your action (leaving the door / window open).

    You should be able to successfully able to sue a door / window manufacturer for failing to provide the request product (i.e. seal the opening).

    That then hits the ugly question of what is "reasonable". Did the manufacturer provide a reasonable product that provided the expected level of security?

  • by DeathFromSomewhere (940915) on Thursday August 23, 2012 @06:58PM (#41103023)
    You realize the most visible open source software projects are built by commercial software vendors? Also, how would you define "sloppy coding" in a law?
  • by dkleinsc (563838) on Thursday August 23, 2012 @07:00PM (#41103057) Homepage

    They aren't talking about suing the individual programmers, they're talking about suing the software companies. Specifically, they want to disallow this kind of language very common in EULAs (this is taken from an actual EULA, name omitted to protect the guilty):

    _______ and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this product, including all implied warranties and conditions of merchantibility, fitness for a particular purpose, title and non-infringement. In no event shall _______ and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of this software.

    The translation of this clause out of legalese is "No matter what happens, you can't sue us, we're not responsible. We don't promise that this software is even remotely like what we advertised it to be."

  • by arth1 (260657) on Thursday August 23, 2012 @07:06PM (#41103131) Homepage Journal

    If it was possible to prevent all security holes, this wouldn't be a bad idea. However, it is provably impossible to do so.

    This is true. However, I still think it should be possible to sue for gross negligence. Like lack of input validation, or storing passwords in plain text, or installing everything world writable.

    That's like a bike lock manufacturer whose locks open if hit with a shoe, or a car manufacturer whose cars start if you roll them dowhill and put them in gear, even without an ignition key. Both existed, but would be considered gross negligence today.

    I don't expect software to be perfect, but I do expect it to not be outright stupid.

"Text processing has made it possible to right-justify any idea, even one which cannot be justified on any other grounds." -- J. Finnegan, USC.