oss-sec mailing list archives
Re: Thoughts on Shellshock and beyond
From: Tim <tim-security () sentinelchicken org>
Date: Thu, 9 Oct 2014 08:28:23 -0700
PS: fun fact, the only thing you _will_ get sued for are: software patents
Perhaps we should patent the implementation of vulnerabilities in software. Then go trolling. ;-) Seriously though, I agree with you that some form of liability ought to be introduced in order to create the business incentive to change development practices. However, the devil is in the details, and as Michal pointed out, you don't want to squash open source innovation. So how do you introduce liability for software defects while allowing innovation to continue? Initially, perhaps you could limit liability to the cost of the software. This protects open source projects while creating a modest incentive for larger software companies to do better. But then you have cases like Adobe Flash/PDF/etc where they don't charge and yet have created a huge problem in the industry. How do you address that? Plus, if you did it this way, people might start to assume all open source software is insecure just because there is no liability. I don't know, I've thought a fair amount about this, and it isn't easy to implement. It would probably require multiple separate ways to create incentives for quality. tim
Current thread:
- Re: Thoughts on Shellshock and beyond, (continued)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 11)
- Message not available
- Re: Thoughts on Shellshock and beyond Florian Weimer (Oct 12)
- Re: Thoughts on Shellshock and beyond John Haxby (Oct 12)
- Re: Thoughts on Shellshock and beyond Pavel Labushev (Oct 14)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 09)
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- liability (was: Re: Thoughts on Shellshock and beyond) Solar Designer (Oct 09)
- Re: liability dmc (Oct 09)
- Re: liability (was: Re: Thoughts on Shellshock and beyond) Źmicier Januszkiewicz (Oct 10)
- Re: Thoughts on Shellshock and beyond Tim (Oct 09)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 09)
- Message not available
- Re: Thoughts on Shellshock and beyond Sven Kieske (Oct 09)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond Tim (Oct 08)
- Re: Thoughts on Shellshock and beyond Michal Zalewski (Oct 08)
- Re: Thoughts on Shellshock and beyond ArkanoiD (Oct 08)
- Re: Thoughts on Shellshock and beyond David A. Wheeler (Oct 08)