Reply to post: Why = Money

‘What are the odds someone will find and exploit this?’ Nice one — you just released an insecure app

MachDiamond Silver badge

Why = Money

There is very little downside to releasing insecure code or hardware. At the most, companies that get spanked wind up paying their customers back with a period of credit monitoring (I've got credit monitoring for life at this point). The chances of them having to do that much is pretty slim. It's one thing to see if customer's money has been pilfered from their bank accounts, but an exploit may allow somebody to rummage through corporate docs or files from R&D. How might that loss be quantified if the information is used to gain an advantage over that company. An insecure IoT device that gives somebody a way to use a person's internet connection to download some movies and then the victim gets a settlement offer that's uneconomical to fight might be another case. It could also be worse if the person commits a crime. How much would you have to pay an attorney to defend yourself against charges for something you didn't do. At hundreds an hour, even showing you aren't involved can quickly be thousands.

There needs to be a bunch of liability for releasing poor software. If a company can show to a court that they have their software evaluated by a qualified third party and a protocol in place internally to find and fix security issues, perhaps that can mitigate some of the fines. If companies are playing fast and loose, it should be an offense that might close the company down. It's awfully rare that there is a piece of software that has no competition so the argument that the market will will be harmed irreparably is likely false. I also expect that very narrowly focused software with a limited customer base and no competition is much less likely to be exploited.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon