[chug]

It's more like running valet parking and leaving other people's cars unlocked. Yeah, you should update your process so that your drivers lock the cars, but oh man, that's kind of hard. What if we just tell people their cars are locked up nice and safe and ignore anyone who says otherwise? That's much easier.

I think this response is pretty awful, but I do understand it. This website was probably either made by contractors who are long gone or an internal team who are too incompetent to fix it. Getting either of those parties to address the problem in a timely manner is a huge hassle (that could potentially cost lots of money). Ignoring the problem is easy and free. There's also likely the fear of "oh god, what have we done, and what kind of liability did this open us up to?" that is hard to stomach. It's incredibly stupid, but people usually are when they're both panicked and got caught doing something bad.

[kbenson]

> This website was probably either made by contractors who are long gone or an internal team who are too incompetent to fix it.

If I paid a construction contractor to build my office and someone notified me that parts were unsafe or violated the building code, I would either hire the original contractors or new ones to fix it, because otherwise I would be legally liable is I still used it.

If my own employees built it, we would be having an interesting discussion about how it happened, and whether I could trust them to fix it or would need to hire a contractor (or at least fire that manager).

Whenever something new is built that people use, care needs to be taken with safety. The sooner average people realize that effects digital constructs the same as physical ones, the better.

[ryandrake]

Perhaps the contractors who built the site followed the letter of the contract, and the security requirements were insufficiently specified. Or maybe, in the case of an internal development team, they followed the spec which itself was ambiguous.

People forget that not all developers out there are Silicon Valley Rockstar Unicorn developers, who are thinking about the product's needs and the users and the edge cases. Lots of this kind of work is done at body shops where, if the customer specified the name input field should allow 8 characters, they'll make it allow at most 8 characters even though they know that people have names longer than that. If it comes back as a change request, $$$ cha-ching!

[kbenson]

I actually wasn't making an argument about contractors at all, but operators. If you operate something that you've been informed is unsafe, you fix it or stop using it. It gets fixed or you are purposefully endangering people that use it. How it gets fixed and who pays are separate issues.