Security News > 2024 > February > On Software Liabilities

Over on Lawfare, Jim Dempsey published a really interesting proposal for software liability: "Standard for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor."

Section 2 canvasses the different fields of law that could provide a starting point for what would have to be legislative action establishing a system of software liability.

The conclusion is that all of these fields would face the same question: How buggy is too buggy? Section 3 explains why existing software development frameworks do not provide a sufficiently definitive basis for legal liability.

Dempsey basically creates three buckets of software vulnerabilities: easy stuff that the vendor should have found and fixed, hard-to-find stuff that the vendor couldn't be reasonably expected to find, and the stuff in the middle.

One hundred percent of the liability shouldn't fall on the shoulders of the software vendor, just as one hundred percent shouldn't fall on the attacker or the network owner.

We don't let the fact that no restaurant can possibly fix all of the food-safety vulnerabilities lead us to the conclusion that restaurants shouldn't be responsible for any food-safety vulnerabilities, yet I hear that line of reasoning regarding software vulnerabilities all of the time.

News URL

https://www.schneier.com/blog/archives/2024/02/on-software-liabilities.html