if you sell me something that says it does X on the box, but doesn't actually do X then that's all the purview needed. if they have to prove it by getting into the source code, then all the better. assuming this would be some 3rd party auditing company doing it for them. why? there's a difference of being so bug ridden that your software doesn't work vs just doesn't even attempt to do what the box claims.
