[atleastoptimal]

Let's say it was coded extremely well, but nevertheless a more advanced exploiter wreaked similar havoc. Would they still be liable in your perfect world? To some degree the principle of caveat emptor should apply in some tiny, nascent business, otherwise only large juggernaut monopolistic incumbents would have the means to have any stake in software.

[Frieren]

> Let's say it was coded extremely well, but nevertheless a more advanced exploiter wreaked similar havoc.

A doctor kills a patient because malpractice. Could that patient have died anyway if the patient had a more critical condition?

That is a non sequitur argument.

> Would they still be liable in your perfect world?

Yes. The doctor would be liable because did not meet the minimum quality criteria. In the same way that the developer is liable for not taking into account any risks and providing a deeply flawed product.

It is impossible in practice to protect software from all possible attacks as there are attackers with very deep pockets. That does not mean that all security should be scrapped.

[pishpash]

Yes, parent is arguing like, what if medical licensing protects the juggernaut hospitals at the expense of the street corner quack?

[esulteric]

"Skip surgery by getting stabbed in an alley. Doctors hate this weird little trick!"

[rsynnott]

Imagine these two scenarios:

Your spouse dies in surgery. The highly experienced surgeon made a mistake, because, realistically, everyone makes mistakes sometimes.

Your spouse dies in surgery. The hospital handed a passing five year old a scalpel to see what would happen.

There's a clear difference; neither are _great_, but someone's probably going to jail for the second one.

In real, regulated professions, no-one's expecting absolute perfection, but you're not allowed to be negligent. Of course, 'software engineer' is (generally) _not_ a real, regulated profession. And vibe-coding idiot 'founder' certainly isn't.

[Arrowmaster]

There is a word for this, negligence. We need to start considering these failures to secure user data as criminal negligence.

[pishpash]

That's always the double-edged sword with regulation, but sooner or later people will demand it, or much more of it.