Software Security: Too Little Vendor Accountability, Experts Say

Actual legislation is a long shot and a decade away, but policy experts are looking to jump-start the conversation around greater legal liability for insecure software products.

While legal legwork is already in progress to hold software vendors liable for delivering insecure products, actual laws and penalties are at least a decade away, says one policy expert wholl be speaking at next weeks RSA Conference.
Greater accountability for insecure software vendors has the support of the Biden White House. However, licensing and contract protections have shielded companies whose vulnerable products have cost customers millions, according to James Dempsey, senior policy adviser/technology and governance lecturer, Stanford Program on Geopolitics/UC Berkeley Law School.
Dempsey will moderate a detailed discussion of proposed
legal frameworks for software liability
at this years RSA, giving vendors a glimpse at the liability landscape. Hell be joined by Nick Leiserson, assistant national cyber director, cyber policy and programs, Office of the National Cyber Director; Bruce Schneier, security technologist, researcher, and lecturer, Harvard Kennedy School; and Chinmayi Sharma, associate professor, Fordham Law School.
Right now, almost all software developers have language in their licenses or other contracts or terms of service in which they disavow any liability for any flaws in their products, Dempsey explains.
He uses the example of the Microsoft license on his own laptop to illustrate.
For example, the Microsoft license for the operating system on my laptop says: You may not under this limited warranty, under any other part of this agreement, or under any theory, recover any damages or other remedy, including lost profits or direct, consequential, special, indirect, or incidental damages, Dempsey tells Dark Reading. The damage exclusions and remedy limitations in this agreement apply even if Microsoft knew or should have known about the possibility of the damages.
Thats how vendors have been evading legal liability for their customers damages, and in some cases, collecting cyber insurance payouts instead.
Progress Software, whose
vulnerable MOVEit file transfer software
led to the breach of more than 600 organizations and the compromise of the personal information of more than 40 million people, has so far evaded liability for its customer losses. Instead, Progress filed an 8-K form with the Securities and Exchange Commission that outlined the companys intent to collect on its full $15 million
cyber-insurance policy coverage
.
While there is a
class-action consumer rights litigation against Progress Software
for negligence and breach of contract, there are no legal protections for its customers, which in other industries could be enforced under an agreed upon legal standard of care, according to a recent paper,
Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor
, published by Dempsey in Lawfare. The paper outlines Dempseys theory for the right path toward holding vendors legally liable for the cybersecurity of their products.
Okta is another software vendor that has exposed its customers to cyberattacks — and losses. September cyberattacks against Caesars Entertainment and MGM Resorts used
Okta as an initial attack vector
. Losses related to the cyberattacks at the hospitality giants racked up hundreds of millions in costs; both in lost earnings, as well as ransomware payouts.
By the end of 2023 Okta confirmed that an unauthorized user was able to gain access to data on 100% of its customers.
Holding developers liable for knowingly producing insecure tools requires carefully considered guidelines for what is a reasonable level of cybersecurity to expect from a software vendor in order to determine egregious outliers, Dempsey explained.
Because there is general agreement that the manufacturers of software should not be made insurers of their products but rather should be liable only when a product is unreasonably secure, getting software liability right turns a lot on defining a standard of care, Dempseys Lawfare article read.
This standard would include defects analysis already widely used in products liability law, the article added.
Dempsey also advocates a software developer safe harbor for hard-to-detect flaws. For that, I would turn to a set of robust coding practices, Dempsey wrote.
Dempsey tells Dark Reading the Biden Administration realizes legislation will be necessary to achieve its goal of holding insecure software developers liable, which he adds they also understand is a long shot: They see this as a 10-year issue.
Dempsey will moderate a detailed discussion of proposed
legal framework for software liability
on Monday, May 6, during RSA in San Francisco at 8:30 a.m. PT, giving vendors a glimpse at the liability landscape to come.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Software Security: Too Little Vendor Accountability, Experts Say