[ColinDabritz]

Not the op, but meaningful fines, executive jail time for gross negligence and especially for intentionally taking inappropriate risks, breaking up or closing companies that are shown over time to be unable to safely handle sensitive information. Proper regulation. Consequences that can't be cynically taken as the cost of doing business.

[UncleMeat]

Jail time for bugs? Have people here every worked on products?

Bugs and security vulns are literally inevitable. Security is important but it this was the standard I'm not sure that any company would still exist.

[ColinDabritz]

Jail time for bugs that should have been preventible and caused harm to users. Mistakes and bugs happen, but we also have methods of mitigating them. Standards, quality controls, tests, analysis, and other care. I specifically said jail time for gross negligence because that means not taking care and allowing harm to users.

If you had an error that leaked private information, it's worth an investigation. If it made it through despite controls, that's understandable. If they find you failed to do analysis on the risk to users privacy, if you failed to have controls in place, if you didn't code review or test the code, then you have made specific choices that harmed users. That should be criminal.

We need to take software engineering seriously as a discipline. We have the potential to do more wide scale aggregate harm than any structural engineering collapse. We need to start acting like it.

[UncleMeat]

What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? Manual audits of all dependencies and transitive dependencies on every update? Hire world class auditors to manually inspect code?

I'm a huge security person. It's my job. But its unbelievably difficult to secure programs even if there are clear steps in hindsight that could have prevented a bug.

[AlexandrB]

> What is "should have been preventable"? Mandatory continuous fuzzing of all apis? Interprocedural static analysis to detect all of the owasp top ten? ...

All of the above, possibly. Other engineering disciplines seem to have defined what constitutes due diligence just fine. This isn’t a novel problem.

It’s obviously not possible to make anything perfectly safe or perfectly secure. But it’s certainly possible to define a minimum amount of effort that must be put towards these goals in the form of best practices, required oversight, and paper trails.

Edit: Even “fuzzy” disciplines like law have standards for what constitutes malpractice or negligence when representing a client.

[mirashii]

Nobody said jail time for bugs, and phrasing that way is intentionally obscuring the debate. Gross negligence is an entirely different standard than just software bugs.

[UncleMeat]

Lots of people in this thread are explicitly saying jail time for bugs.

What evidence is there that this was gross negligence?

[vwcx]

But why do financial services bugs garner a higher penalty than one that exposes private photos? This is an argument for regulation.

[Veen]

> Security is important but it this was the standard I'm not sure that any company would still exist.

This is true and it's also the reason why there are more software vulnerabilities than necessary. Software could be a lot more secure. There will always be bugs, but its is possible to build software and platforms with many fewer vulnerabilities. But it's expensive, so we don't, and users suffer the consequences while the companies shrug their shoulders and count their money.