Most open source software (and closed too, for that matter) that I've come across has a disclaimer of liability for any damages. If this weren't the case, then Microsoft could probably have been sued into oblivion by now. However, I do see potential appeal in a piece of software that has a set guarantee of security, with some sort of compensation to a victim if the software is compromised.
This could actually be an interesting business idea. Take some open source security product that already has a community trust. Start a business that does a few things. First, you sell installation and support contracts for the product. Then, you bundle insurance. For a monthly fee, all your customers are in an insurnace co-op for the product, and they could potentially claim against it if they get compromised via the product. With the revenues from the support and insurance premiums, you'd be able to fund programmers to enhance and further secure the products. Of course, like any insurance company, there's a risk of getting sued for more than you could cover, but maybe there's a way to protect against that, possibly with a 3rd party insurance policy or bonding. On Mon, 2003-04-21 at 08:14, Dustin Puryear wrote: > Dan Geer's "comments on the national strategy to secure cyber-space", in > the April 2003 issue of ;login, contains a letter to the cyber-tzars in the > nation's government. One of his bullet points is the need to attach > liability to claims of security. Essentially, the argument is that if a > company claims that a given product is secure then they are liable for any > insecurities. A very interesting way to tackle software liability even if > only security is addressed. > > My question is how does this or any liability affect open source? We can > instantly assume that there will be vulnerabilities in open source > software. That's not up for debate really. The real question is who, if > anyone, is liable if an open source program is found to have been the root > cause of a compromise or, in a larger sense, any failure of a system? There > are a couple of ways to consider the interplay of liability and open > source, and here I mention two: > > 1. open source is given blanket immunity. In this case open source is given > immunity because users have the right to inspect the code for any issues > before use. (I don't think this is too realistic, and neither will most > legislatures.) Also, how many companies are willing to risk using software > that is immune from the same levels of liability as closed software? I > would think that at this point most closed software shops would have > embarked on some kind of certification program to show due diligence. Will > this leave under-funded open source projects out of the running? > > 2. open source is not immune. Will open source writers then be sued? Will > projects that have the potential to become great but are still in the early > stages be most at risk? How do we reduce this risk? Can we limit liability > by following suggested best practices during development? If so, how do we > really agree on these best practices? What if we follow them and then the > compiler is ultimately the responsible party? Or the system libraries under > Linux? > > --- > Dustin Puryear <[EMAIL PROTECTED]> > Puryear Information Technology > Windows, UNIX, and IT Consulting > http://www.puryear-it.com > > > > _______________________________________________ > General mailing list > [email protected] > http://brlug.net/mailman/listinfo/general_brlug.net
