Slashdot Mirror

← Back to Stories (view on slashdot.org)

Would Vendor Liability for Bugs Kill OSS?

Posted by ryuzaki0 on from the code-clean dept.

Glyn Moody writes "Bruce Schneier has written an interesting column for Wired suggesting that vendors should be made liable for bugs in their software. But where would this leave open source developers? Would what seems like a great idea actually be the death of free software?"

6 of 377 comments (clear)

  1. I wouldn't. by Anonymous Coward · · Score: 4, Interesting

    I wouldn't contribute to OSS if I'd be exposing myself to a lawsuit because some dipshit found a creative way to exploit my code. They're the guilty party, not me.

  2. You can add a multiply factor... by scsirob · · Score: 4, Interesting

    If you want things to really hurt, multiply the purchase price by 10 or so. That would actually constitute a penalty to distribute buggy software for commercial vendors while still not impacting those who give the software away for free.

    Large software products will never be entirely bug-free. To keep things reasonable, there should be a standard time-to-fix so commercial vendors also have a fair chance of cleaning up after a mistake.

    --
    To Terminate, or not to Terminate, that's the question - SCSIROB
    1. Re:You can add a multiply factor... by jadavis · · Score: 3, Interesting

      multiply the purchase price by 10 or so...should be a standard time-to-fix

      This is getting way too complex. By mandating that software publishers are liable, you actually have to prevent people from entering contracts that limit liability. And if you start mandating bug fix windows, chaos will ensue. Vendors would just release "patches" that eliminate huge chunks of code to "fix" the bug and then nobody would download it.

      --
      Social scientists are inspired by theories; scientists are humbled by facts.
    2. Re:You can add a multiply factor... by dgatwood · · Score: 3, Interesting

      If automobiles were gratis, you might have a point. If open source software were used in safety-critical systems, you might have a point. With neither of these being typically true, you don't really have a point.

      If you build your business on a piece of software, it is your responsibility to protect your investment. It is your responsibility as a consumer to protect your investment as well. Losses due to the user failing to back up are the user's fault.

      What is not acceptable is the existence of bugs that prevent you from doing something for an extended period of time. What is not acceptable is the existence of reported security holes that are easily exploited that go unpatched for months or years.

      Oh, yeah. A few more bullet points:

      • For the purposes of bugs that represent known security vulnerabilities, "timely" shall be defined as no later than the release immediately following when they are first verifiably reported or fourteen days, whichever is shorter.
      • In the interest of allowing time for verification, a vulnerability reported less than 48 hours prior to a release will be considered reported on the day after the release provided that the vulnerability was not reported prior to the preceding release as a non-security-related bug.
      • A vulnerability reported on the same calendar day as a release will be considered to have been reported after the release, regardless of the time of day of the report or the release.
      • Calendar day may be based on any time zone in which the software producer has employees or volunteers involved in the release engineering process.
      • Failure to fix these vulnerabilities in such a timely manner shall result in civil liability for all damages resulting out of the exploitation of that vulnerability retroactively to when the bug was first introduced. Liability will continue until such time as the vulnerability has been patched for thirty (30) days.
      • In addition to actual damages, statutory damages not to exceed $100,000,000 US per incident for the injured class may be awarded in cases of willful disregard for security or extreme negligence.
      • Liability for unfixed security vulnerabilities may not be waived through offer of refund.
      • Liability for unfixed security vulnerabilities may not be waived through mere distribution of source code. However, damages will be limited to actual damages due to the ability of the user to obtain a security audit if desired.
      --

      Check out my sci-fi/humor trilogy at PatriotsBooks.

  3. What If Based On .... by Alien54 · · Score: 3, Interesting
    Software that you pay for should have some sort of liability. This could be on a sliding scale

    • Free/no monetary cost = non liability
    • (homeuser non commercial product) up to 100 dollars = refund, and the additional penalty equal to cost of the software
    • Commercial Software - 100 to 1000 dollars each - something more substantial as a penalty
    • Industrial Software - 1,000 to 10,000 dollars each - something even more substantial as a penalty
    • Gov Grade, National Security, etc - more than 10,000 dollars - Bend over and ......

    The prices are for the full product. Upgrade editions count as the full product for liability

    something similar can be sorted out for large installations, bulk licenses, etc.

    Just thinking out loud

    --
    "It is a greater offense to steal men's labor, than their clothes"
  4. Re:No, if... by bill_kress · · Score: 3, Interesting

    As I said in another message elsewhere, the differentiation is control after the sale.

    If you are simply "Licensing" the software and not "Selling" it (IE: If you are trying to control what happens to the software after it leaves the store shelf, by preventing copying or redistribution or modification) then you should be liable.

    When a company chooses to no longer be liable for bugfixes and the like, the product should be made "Free" so that you can make copies and modifications yourself (as it should if the company chooses to stop selling it). Not that I expect users would fix all these bugs, but at least it would give us a chance!

    As is, if they find some security hole in windows '95 or '98 that is truly critical and MS chooses not to fix it, you may be out a computer (assuming your are ignorant of Linux anyway)--let's say your computer will no longer serve the purpose you paid the money for it to serve.

    Of course since laws in the US are being purchased by corporations, I don't expect this "Logic" to fly in any future I can imagine, but I can always dream.