• kibiz0r@midwest.social
    link
    fedilink
    English
    arrow-up
    2
    arrow-down
    2
    ·
    4 months ago

    Why not?

    Well…

    It discourages self-reporting, makes vendors hostile to security researchers, opens the door to endless litigation over whose component actually “caused” a vulnerability… encourages CYA culture (like following a third-party spec you know is bad rather than making a good first-party one, because it guarantees blame will fall on another party)

    In a complex system with tight coupling, failure is normal, so you want to have a good way to monitor and remedy failure rather than trying to prevent 100% of it. The last thing you wanna do is encourage people to be hostile to failure-monitoring.

    (See also: Normal Accident theory)