Excellent examples Ron, thanks for that. In my mind, there are really 3 different types of responsibility for security issues: Ethical Responsibility - Software vendors have an ethical responsibility to fix their code when they know of a security hole being actively exploited. Whether there is an ethical responsibility to fix security holes that have been discovered but not yet been exploited is really dependent on the risk to their customers. A banking app provider has high ethical responsibility because of the financial risk, while a photo editing app is less essential. I agree that the vendor's ethical responsibility is for their software and stored data only - they are not responsible for repairing users computers. Contractual Responsibility - Some vendors have a contract or license with their users laying out the vendor's responsibility and remedies for security issues. In the case of most shrink-wrap agreements, this should be renamed Contractual Non-Responsibility. Legal Responsibility - In some US states, data breach laws create a legal responsibility to notify users when their information is released. The laws may provide other remedies such as fines and credit monitoring. Sometimes a civil class-action lawsuit can find the software vendor negligent. However, in most cases there is no legal responsibility to take any action. The paper you linked to goes into more detail. // mght ToDo: // Put Signature Here

There's a meetings and get togethers forum that you should have used for this post, rather than putting it in the lounge. It'll be gone from the front page soon, and by tomorrow, it'll disappear several pages in, so people will forget it. I was brought up to respect my elders. I don't respect many people nowadays. CodeStash - Online Snippet Management | My blog | MoXAML PowerToys | Mole 2010 - debugging made easier

Espen Harlinn wrote: What I don't figure is how shareholdres think: How can a person with a maximum attentionspan of 5 minutes, and who is by the way proud of it, be trusted to run something as complex as a corporation? LMAO! So true, I have had 1 to many a manager & CEO like this. Espen Harlinn wrote: They need to get the idea that they are, or rather the company is, in fact often legally resposible - and that when the sh*t hits the fan the costs may reach astronomical figures, depending on who your customers are, the severity of the case, and under what agreeement your company did the work. Not many companies get it & managers really get it, I think this is especially prevalent in a tech start up industry or where startups are coming and going, everyone figures we'll get to it later and hope for the best. Before I got some learning & no I don't mean university. I wrote some pretty terrible security vulnerable code for startups. I shudder to think that it's still in production or some of them are actually using what I wrote. This problem is all to common. Even our colleges and university to a poor job of teaching secure code and secure coding techniques to their students, and therefore the vast majority of them no nothing of it. The reason to educate the dev community. Is it's the devs that are eventually going to make it to manager! *shudder* so if they're not thinking about it now! Ugh. It'll be never!