The cost of software vulnerabilities (testing patches and patching vulnerable installations) is huge and is not born by the software maker by and large. The idea that the customer can choose to not pay for software that contains vulnerabilities is flawed first of all in that the software company does not provide warranties for the security of its product (only disclaimers if you read the shrink wrap). The customer simply does not have good information when buying the product. Secondly, if the software company engages in anti-competitive practices, it is unfairly limiting the purchasers ability to select alternatives.

So far these costs are all internal to the transaction, because they fall almost exclusively (and some would say unfairly) on the purchaser. The idea of external costs becomes relevant when a vulnerability is exploited to install root-kits and bot-net software on machines that then actively begin attacking other systems or pumping out spam. Of course the perpetrators who exploit the vulnerability should be caught and held responsible, but this in itself is a massive undertaking funded by our tax dollars (a purely external cost). It therefore makes sense to fine software makers for security vulnerabilities in order to help mitigate the cost to society of tracking down criminals that exploit the vulnerabilities. This is economics 101.

[ reply ]

Link to this comment: http://www.securityfocus.com/comments/columns/394/34600#34600