You do make a valid though somewhat flawed point about exposure. I say flawed because, in my opinion 'unwitting exposure' does not strike me as an entirely acurate evaluation of the situation. My arguement to support this is thus; The system(s) are not truly exposed if the security flaw is not known.
For example lets look at the (somewhat recent) Windows WMF security issue. Until this flaw was known, there was no 'exposure' posed to systems. As soon as Microsoft was aware of the issue it did what Microsoft normally does, the schedule a release date for the patch. At this point in time Microsoft would have had a valid defense against a 'depraved indifference' suit, had it been able to keep the flaw under wraps all would have been fine and dandy. However, as we all know, Microsoft failed to do so. And what happened in that time? Known exploits were found in the wild.As well as a third-party software vendor releasing their own patch to solve the issue. In my opinion it was at this point that Microsoft was most at risk of not being able to defend itself against a 'depraved indifference' suit.
And that is the point I'm trying to make. Software companies need to be given a chance to fix security flaws not only to minimize 'Bad PR', but to minimize their legal liability as well.
I've seen many a story about this issue, though I've never seen a thorough examination of the legal side and felt it was high time someone point out that there maybe something other than Company reputations and Bad PR at risk.
Learn about Linux
Download Linux
Get Linux help
Re:Forget the moral, mind the legal.
Posted by: Impius Nex on August 09, 2006 04:20 PMFor example lets look at the (somewhat recent) Windows WMF security issue.
Until this flaw was known, there was no 'exposure' posed to systems.
As soon as Microsoft was aware of the issue it did what Microsoft normally does, the schedule a release date for the patch. At this point in time Microsoft would have had a valid defense against a 'depraved indifference' suit, had it been able to keep the flaw under wraps all would have been fine and dandy. However, as we all know, Microsoft failed to do so. And what happened in that time? Known exploits were found in the wild.As well as a third-party software vendor releasing their own patch to solve the issue. In my opinion it was at this point that Microsoft was most at risk of not being able to defend itself against a 'depraved indifference' suit.
And that is the point I'm trying to make.
Software companies need to be given a chance to fix security flaws not only to minimize 'Bad PR', but to minimize their legal liability as well.
I've seen many a story about this issue, though I've never seen a thorough examination of the legal side and felt it was high time someone point out that there maybe something other than Company reputations and Bad PR at risk.
#