[pgraf]

Imagine a major bridge that was built by a contractor. A internal safety inspector repeatedly warned his supervisors of structural deficiencies that could lead to the collapse of the bridge. Furthermore, in the pass of time two external sources publicly warned about the issue, but the company downplayed the importance. Finally, the bridge collapses. It becomes evident that the company did nothing about the issue because it didn‘t want to loose contracts selling more flawed bridges. The public would justifiably go nuts, and there would be legal consequences for everyone involved.

What is different in our industry that companies (and managers) get away with such malice?

[magicalhippo]

Here in Norway a bridge built with known structural deficiencies did in fact collapse[1], and basically nothing has happened except tax payers get to pay even more for a new bridge.

Unless enough lives are lost, people generally don't care that much it seems.

[1]: https://www.nrk.no/innlandet/statens-vegvesen-legg-fram-rapp...

[_heimdall]

I'm not sure if this would line up with the Dunbar number or something similar, but it sure seems reasonable that societies and centralized power should never grow beyond the scale where people stop caring.

If the public is expected to keep government and corporstions in check but the public doesn't care, it can only end poorly.

[nicce]

> basically nothing has happened

Maybe they proudly stated knowing the risks, and while unfortunate, risks became reality. And then everything is fine.

[johnnyanmac]

Boeing in a nutshell.

>What is different in our industry that companies (and managers) get away with such malice?

Software isn't immediately life threatening. That's why it's all thr wild west outside of medical and aerospace. While it sucks to have PI leaked to the internet, you do have time to at least take action compared to a door in an airplane coming off.

[hanniabu]

> Software isn't immediately life threatening

being a boeing whistleblower is though

[natsucks]

I don't understand how this doesn't destroy a company. They willfully ingored a serious risk and it had major national security implications.

[dfedbeef]

Have you tried to use Google customer support

[delfinom]

>What is different in our industry that companies (and managers) get away with such malice?

Lack of professional licensure that binds you to state regulation with jail time as one of the stated punishments besides financial liability.

Heh, the government could start effecting change by mandating licensure and sign-offs by licensed individuals when contracting for software products sold to the government.

[red_admiral]

Wasn't there something a bit like that with the Morandi bridge that collapsed in Italy?

(There was definitely something like that with the Mottarone cable car that had been running for years with the safety catch disabled. When the tow-rope snapped, wiht no catch, the cabin rushed down and killed everyone on board.)

[pompino]

So software developers should be criminally liable for introducing security bugs?

[RevEng]

Management that knowingly chooses to ignore a major issue should be charged with criminal negligence. The creation of the bug is a common and difficult to avoid mistake. But once it has been found, choosing not to change it despite being warned if the consequences makes you responsible for those consequences.

[pompino]

So if send an email "Fix all your bugs or else bad stuff will happen", and if they don't fix all their bugs now I can put their devs in jail ?

[YoshiRulz]

Don't be obtuse. That is obviously not a genuine bug/vuln disclosure.

[pompino]

And you decide what is genuine?

Sorry, this whole thread is a fantasy of nerds thinking they can create a punitive policy for behavior they don't like. But there is no actual substantive framework under which any of these fantasies can come true.

[ycombinatrix]

knowingly? yes.

[pompino]

What standard do you suggest to prove intent?

[YoshiRulz]

How about the same as for fraud, manslaughter, conspiracy... But that's the judiciary's problem anyway. People who campaign for this higher accountability argue that it's such a drastic change from fines that it will change company cultures overnight.

[pompino]

A policy proposal needs a legal framework under which can actually can work. You can't just push that off as "that's the judiciary's problem".