

Ask HN: Open source software liability? - huangm

If you are running an open source web framework like Django or Pylons and a security vulnerability or bug (in the framework itself) causes sensitive/private data to be leaked (like for example, online banking data), who is liable?<p>My understanding is that big corporations tend to stay away from open source because they cannot pass on the liability to someone like Sun or MS, but I'm having trouble finding any specific information on this subject.
======
jacquesm
I've yet to see a single case where a closed source software vendor accepted
liability for data loss and / or security related issues.

Do you have a documented case where you can show that a closed source software
vendor was forced to cough up at least a sizable part of the damages sued for
?

They all pretty much rule out stuff like that, and it would surprise me if
such a case existed.

The situation is actually the reverse, because closed source gets leaked to
the 'bad guys' only (by buying it off some employee with access) the chances
of trouble there are a lot larger than with open source where there is a level
playing field and the bad guys have just as much access as the good guys.

So, no, you can't sue anybody in the open source scene, but you can stay
current. And you probably can sue some party in the closed source scene but
the bigger question is what you'll do with the outcome of that suit.

Most likely the damages are limited to the price of the product by contract.

------
clueless123
That is funny! you really think you can pass liability to someone like Sun or
MS ? :)

Small suggestion: Re-read your eula/terms etc ..

------
imgabe
I think most open source licenses specifically disclaim any liability for
damages caused by faults in the software.

~~~
nzmsv
So does pretty much every closed-source license. But the liability always
seems to be limited "where permitted by law".

What is this law, and which jurisdictions allow this? I wonder if there is
someone here who knows more on the subject.

~~~
pbhjpbhj
I'd have thought that active damage, including a backdoor for example, would
be the sort of thing that makes you liable and can't be disclaimed under the
law.

