Re: The problem is that user management doesn't demand security

[Andreas Saurwein <saurwein () uniwares com>]

At 9/12/2003 18:47 Tuesday, you wrote:

I admit this next question may point to a lack of imagination on my part, 
but as a customer/end-user, *how* do you hold a vendor accountable for 
security?


Once you have chosen the best product you can, the vendor has your money. 
How then to apply pressure to squash bugs and fill holes?  The current 
model uses a mix of extortion (fix this hole or I release it to the world) 
and loss of brand value or reputation (fix this bug or everyone will know 
you don't support your customers).  Without passing judgment on the 
current model, is there another way?


Experience shows that most ISVs are more than happy when you report bugs to 
them. We, as developers are better qualified than anyone else to do this. 
We know what is important in a bug report, what to tell, how to explain it.


People appreciate that. Often they even reward you with various things like 
free licenses of their product, gimmicks, t-shirts or other more or less 
useful stuff.


Give it a try and see for yourself. Of course, mailing support with "it 
does not work" is not very helpful. But mailing them with "I get a page 
fault in your xxx.dll when I do this or that, see attached mini-dump" is 
more then helpful.


There is an amazing number of really good software producers out there, but 
the number of "good customers" is low. Its like going to a restaurant and 
not complaining about bad food. They will never know and thus not change 
anything.


Andreas