Title :
Two views on security software liability. Let the legal system decide
Author :
Ryan, Daniel J. ; Heckman, Carey
Author_Institution :
George Washington Univ., Washington, DC, USA
Abstract :
Rather than use the product liability screwdriver as a chisel, why not consider a package of more effective tools. Corporations and individuals that market software despite knowledge of software security flaws should face criminal prosecution as well as civil lawsuits with punitive damages. Perhaps bounties should be available for the first to discover and establish the existence of a security flaw. Publishers should be required to post to the Web and otherwise publicize promptly patch availability. The software equivalent of an Underwriters Laboratories should establish and constantly improve security-related standards and testing protocols. It should be made readily apparent whether a program has passed and at what level. Prospective customers should be educated and encouraged to insist on software that has passed. Stronger software security is important. Software developers and publishers must do better. But product liability is not the right legal tool for the job.
Keywords :
product liability; program testing; security of data; software quality; criminal prosecution; product liability; security software liability; security-related standards; security-related testing protocols; software security flaws; Computer security; Contracts; Injuries; Law; Legal factors; Manufacturing; Marketing and sales; Privacy; Product safety; Software safety;
Journal_Title :
Security & Privacy, IEEE
DOI :
10.1109/MSECP.2003.1176999