[tgsovlerkhgsel]

> You also can't outlaw a vulnerability. It's an honest development mistake.

You can, however, threaten executives with personally-served jail time if they lead a company in a sufficiently irresponsible manner to allow such a mistake to happen, and can't somehow demonstrate that the measures they implemented were reasonable (despite the prima facie evidence that they weren't, because they failed).

Not saying this should be done in this case, but AFAIK some of the Sarbanes-Oxley Act requirements are being taken very seriously because they have similar provisions.

[cabaalis]

> You can, however, threaten executives with personally-served jail time

How about the developers? The IT guys? Maybe not so enticing an idea now?

[tgsovlerkhgsel]

Where they have a reasonable way to avoid it, I'm all for it to be honest. Engineers go to jail if they build a shoddy bridge.

Key is to require realistic things. Not "humans must not make mistakes", but "process needs to be in place to catch human mistakes". This is not something individual contributors can usually influence.

But in cases like e.g. the VW emission faking scandal, I do think that if (and that's a big if) it can be proven that the developer must have reasonably known what he was doing and that it was part of an illegal scheme, the dev should also be punished: This changes the game from "do it and keep my job, or refuse/whistleblow and lose my job" to "do it and potentially go to jail, or refuse/whistleblow and lose my job" making the second, societally preferable outcome more likely.