Slashdot Comment - Software Liability

The market has created clear categories of software that range from the rather unreliable (Windows, piddly silly games, etc) to the extremely reliable (commerical Unices, VxWorks, QNX, etc). Interjecting liability laws into this arena will only throw that balance off and eliminate the lower-cost alernatives (including maybe boxed Linux distros!).

This comment is more interesting then the Slashot story it's a part of, but that's interesting too. The Slashdot article discusses a Security Focus article about a recently proposed IETF draft regarding a formal statement of best practice regarding reporting new vulnerabilities.

An excessively rigid formalization could hurt more then it helps; across the spectrum of vulnerability levels (anything from "basically a glorified bug" up to "allows outsider to completely control system") and exposure levels (from "user has to wait an extra millisecond" to "complete destruction of civilization", though we've been mercifully short of the extreme on the high end), there's a lot of nuances to consider in what the finder and the vendor are responsible for.

My biggest concern with this sort of thing is enforcement; once the standard is in place, someone's going to sue someone else and point to the IETF document as evidence for them, be it customer or vendor. I would not like to be on either end of that suit. Judges routinely deal in technical domains they are unfamiliar with, but software is unusual in that everybody thinks they understand computers, and the knowlege they think they have gets in the way of them learning anything. (This is probably about fifty percent of why things like the SSSCA can pass Congress.)