Slashdot Mirror

← Back to Stories (view on slashdot.org)

Cure For Bad Software? Legal Liability

Posted by timothy on from the sue-the-bastards dept.

satch89450 writes: "SecurityFocus had a column that I missed when it was first published a few days ago, titled 'Responsible Disclosure' Draft Could Have Legal Muscle, but I discovered it when researching an answer to a comment on the CYBERIA mailing list. In this article, Mark Rasch discusses how the Draft would set the rules for reporting security vunerabilities, and in particular define the boundaries of liability assumed by bug-disclosers. By adopting a "Best Practices" RFC, the IETF could help the reporters of security-related bugs do their job, and put the onus of fixing the bugs on the vendors who make the mistakes, where it belongs. (The RFC draft described in the article, 'Responsible Vulnerability Disclosure Process, is here at the ISI repository.) This is, of course, in direct opposition to the process that Microsoft's Scott Culp, Manager of the Microsoft Security Response Center, would like to see. As Microsoft is more part of the problem than part of the solution, I believe that the path to a formal process would better serve the entire community - and that community includes Microsoft's customers. I'm taking this seriously because the mainstream press is talking about the issue, and what it's going to take to fix it. Here is an example from BusinessWeek that scares me silly. I'm glad I'm looking to change careers from software development to something safe, like law."

4 of 367 comments (clear)

  1. Re:Open Source Software As Well by bay43270 · · Score: 3, Informative

    This would create a huge barrier to entry for the entire software industry. Joe Blow could no longer write software 'just cause the world needed it'. If you aren't hiding behind a corporate shield, you simply couldn't write software.

    IMHO, even as buggy as Microsoft's software is, they are the best suited to defend themselves. In a liable industry, they might stand the best chance of surviving.

  2. Re:Open source and liability by Anonymous Coward · · Score: 1, Informative

    More imporantly, you've not paid for open source software. There is no contract, and therefore no obligation on the developer's part to fix anything that is wrong with it.

    It is like somebody giving out free basketballs. If the free basketballs were made with defects, you have no basis for forcing the giver to fix your basketball. They have incurred no legal duty to you. There is no quid pro quo.

    OTOH, if you paid for the basketball at a sporting goods store, the store and the manufacturer are liable for any defects in the product.

    Scythe

  3. Re:Is good software possible? by Anonymous Coward · · Score: 1, Informative

    I agree with you about unreliable platforms making reliable software development difficult and have posted a response to a response illustrating problems with SAPI 5.0 (Microsoft speech API).

    However, what about API standards like POSIX? Well defined in terms of behavior, arguments, etc. Unlike shoddy libraries from certain companies, POSIX platforms are CERTIFIED to be correct and calls have return values defined for virtually any situation (as it should be). What excuses apply then? Sure, platforms are a factor, but what about when they are not???

  4. Re:Merchantability by WNight · · Score: 3, Informative

    Those products were sold, before you got to see the EULA. Thus what the EULA says is irrelevant.

    The only software that is licensed is that which is agreed to before any money is paid. If you call up Microsoft and ask for a site license, they can hand you a list of restrictions. If you walk into CompUSA and buy the software, you've bought it free and clear.

    (And are only bound by existing law. You can't copy it, but you also can't use it to bludgeon someone with, and not because of any restriction from the vendor.)