
Ask HN: What's the best way to notify our customers of a vulnerability? - beenalongweek
What&#x27;s the best way to do this for downloadable software? I see a lot of companies do it wrong and receive harsh (but valid) criticism on this site. The issue is already fixed, but customers need to install the new version.<p>Also, what do we need to be aware of legally? Do we need to hire a lawyer to review the email we&#x27;re planning to send?
======
mattbgates
If you collect emails, than send an email to let users know of possible
vulnerabilities (or incorporate a message into the software itself -- disable
functionality until update). Have a general template written up for different
scenarios and revise as necessary.

Don't be afraid to reimburse customers for lost time if necessary, such as
crediting their accounts. It is the least you can do. My webhost company was
out a week ago due to a blackout where it is located, and email was down for a
day. No mention of reimbursement and many customers were very upset. While I
am a loyal customer, I do have clients who use email, so they were emailing
me. It probably made their business suffer for a day or two, as they were
unable to reply to emails. There is no monetary value that can even make up
for this, but to offer some incentive, like a monetary deduction of $5 - $20
in the bill is showing intention that you are truly sorry for what happened.
Don't write that you will do this but analyze and understand the situation at-
hand as every scenario is different.

You can use a generic Terms of Service generated to know your direction, but I
suggest personally writing out your Terms of Service in plain English that is
easily understandable and get someone to read it. If there is something they
don't understand, revise it. Clearly state that there may be bugs and
vulnerabilities in the software, but guarantee that you do your best to
encrypt and secure data. For example, before anything gets inputted into a
database, I encrypt it.

I also use a third-party like Stripe for processing payments and I store very
limited data about a users credit card (such as expiration date). In this
case, Stripe is technically responsible for hacks to their own data system, as
I personally cannot be held responsible for what happens, and I make this
known in my Terms.

As for getting a lawyer, there are certain rights you already have as an LLC
or business ( [http://www.nolo.com/legal-encyclopedia/llc-
basics-30163.html](http://www.nolo.com/legal-encyclopedia/llc-
basics-30163.html) ), if you choose to register ($50 to register in my state),
but I highly-highly recommend that you do your best to keep your PERSONAL
assets and your BUSINESS assets completely separated (including bank accounts,
investments, or even vacations). Come tax time, it is best you do this anyway.
But you could try and find a lawyer who might be affordable and give you a
good deal in the event that something does happen.

So long as you are not knowingly ripping off your customers or committing
illegal activities and you are doing all you can to protect your customer
data, you should be fine. If you believe that something might or could go
dangerously wrong, such as you are taking in million dollar businesses that
are your customers, and you need to protect that data with your life, than you
might want to purchase some type of insurance for your [software] business. In
the event that you get sued or something goes wrong, some of these insurance
companies will look into the case and provide you with money for lawyers,
provide lawyers, or they may even provide additional services like writing a
Terms of Service for your business.

Check out these links which may guide you in the right direction:

[https://it.insureon.com/small-business-insurance/general-
lia...](https://it.insureon.com/small-business-insurance/general-liability/93)

[https://www.trustedchoice.com/business-insurance/industry-
ty...](https://www.trustedchoice.com/business-insurance/industry-
types/software/)

[http://www.techinsurance.com/products/](http://www.techinsurance.com/products/)

[http://www.techinsurance.com/products/verticals/programming-...](http://www.techinsurance.com/products/verticals/programming-
and-application-developers/)

[http://www.techinsurance.com/web-business-
insurance/](http://www.techinsurance.com/web-business-insurance/)

[https://www.thehartford.com/business-insurance/computer-
web-...](https://www.thehartford.com/business-insurance/computer-web-it)

