[pompino]

So software developers should be criminally liable for introducing security bugs?

[RevEng]

Management that knowingly chooses to ignore a major issue should be charged with criminal negligence. The creation of the bug is a common and difficult to avoid mistake. But once it has been found, choosing not to change it despite being warned if the consequences makes you responsible for those consequences.

[pompino]

So if send an email "Fix all your bugs or else bad stuff will happen", and if they don't fix all their bugs now I can put their devs in jail ?

[YoshiRulz]

Don't be obtuse. That is obviously not a genuine bug/vuln disclosure.

[pompino]

And you decide what is genuine?

Sorry, this whole thread is a fantasy of nerds thinking they can create a punitive policy for behavior they don't like. But there is no actual substantive framework under which any of these fantasies can come true.

[ycombinatrix]

knowingly? yes.

[pompino]

What standard do you suggest to prove intent?

[YoshiRulz]

How about the same as for fraud, manslaughter, conspiracy... But that's the judiciary's problem anyway. People who campaign for this higher accountability argue that it's such a drastic change from fines that it will change company cultures overnight.

[pompino]

A policy proposal needs a legal framework under which can actually can work. You can't just push that off as "that's the judiciary's problem".