Forum Thread: Should Software Publishers Be Held Liable for Losses Incurred by the Purchasers?

When software companies publish or manufacture a defective product, the losses from a security breach resulting from that defective product can reach the millions of $US, and in rare cases, billions of dollars. Presently, the purchaser/consumer of that product bears the entire burden of those losses. This means that if Microsoft turns out a defective Internet Explorer (IE) that is then exploited to steal your bank account, the loss in borne by you and you have no recourse for compensation from Microsoft (although you may have recourse from the bank).

When other manufacturers produce a defective product, the purchasers/consumers are usually reimbursed for the losses that they incur from the defect in the product. For instance, if an automobile manufacturer produces an unsafe car that injures the purchaser/consumer or others, the automobile companies generally are held liable for the loss in the courts of law (note the Ford Pinto and Explorer models that cost Ford Motor Co hundreds of millions of U.S. dollars). Without delving too deep into the legal theory, automobile manufacturers and others are held to a standard of "strict liability". This means that a manufacturer can be held legally liable for any product that was sold in a "defective or unreasonably dangerous condition". As a result, automobile companies strive to produce safer and safer automobiles to avoid these potential legal liabilities. The same can be said for nearly every other industry that produces a product. They are held legally liable for losses due to defects in their products.

Bruce Schneier—the noted cryptographer, author and commentator on information security—has suggested that if software companies were held liable for the losses attributable to defects in their products that software would become more secure and much safer. He reasons that software companies would then be more careful in releasing new products before they are ready instead of letting the chips fall on the consumer when they prove defective. He also reasons that if they were held legally liable, these software companies would likely begin to purchase liability insurance for such losses, just like automobile manufacturers do against defects in their products. In turn, the insurance companies would enact strict standards on software safety to avoid losses. The end result, according Schneier, would be safer and more secure software with fewer security breaches.

Do you think that software developers/publishers should be held liable for defects in their products that lead to financial losses just like every other manufacturer or do they deserve special treatment?

Our Best Hacking & Security Guides

New Null Byte posts — delivered straight to your inbox.

6 Responses

Well I feel it's like this,

With software, you can always just update your software to a more secure version. But with things like automobiles, if they are defective its not as easy to just "update" them so to speak or make them safe again without buying a newer car or buying and installing newer and safer parts.

A defective software could mean a loss in your bank account which you could get recourse from the bank. A defective car could mean death.

There is a difference in severity to me and if software developers/publishers were to be held liable for their defective product then that might be used as a reason for increasing the price of a paid product or even making a free product into a paid product due to increase in work to insure a safe product.

Despite all that though, i do think software developers/publishers should be held liable for for any losses incurred but only for losses incurred due to the defect in product itself, because im all for safer products! It's just that i feel like there's not as much on the line if you have a defective software as compared to a defective car or machinery so they shouldn't be held onto as high of a standard as automobile manufacturers, i guess that's what im trying to say.


You made some great points here. First, it is important that software can be updated, but what if you have already been hacked before the patch/update? Wouldn't this be comparable to an auto manufacturer having a recall to fix a problem?

Second, isn't it unfair to have the bank refund your losses when the problem is with the software company?

Third, it is a good point that a defective automobile may be life-threatening, but not always. Something, like defective brakes, might simply result in property damage when you hit another auto. They would still be liable for these losses.

Fourth, you are right that it would likely lead to more expensive products and that is exactly what the drug and auto industries claim. Why is the software industry different?


Dear Sir OTW,

I wanted to ask you if backtrack, backbox, buqtrack, nodezero, etc can be installed as per a live os in a usb. I don't want my whole system os to be a hacking one, just a live usb one. If this is possible sir please tell me that how it would be done and software are required.



Rather than a usb, I suggest that you install BackTrack into a VM or as a dual boot system.


Sir OTW,

I already tried installing Virtual box, but it didn't work and at the end it showed an error. I have a 32-Bit os. Also sir thanks for the quick reply.



Did you use 32-bit Virtual Box? What OS are you using? You might try VMWare workstation, also,


P.S. If all else fails, install it as a dual boot system.

Share Your Thoughts

  • Hot
  • Active