Cybersecurity & Tech

Standards for Software Liability: Focus on the Product for Liability, Focus on the Process for Safe Harbor

Jim Dempsey
Tuesday, January 23, 2024, 11:15 AM
A proposed system intended to respond to the criticism that software security is context dependent, to minimize the cost of litigation, and to incentivize improvements in software security.
(; CC0 1.0 DEED,

Published by The Lawfare Institute
in Cooperation With

In the first paper for Lawfare 's new Security by Design Paper Series, Jim Dempsey argues that a workable standard for liability would include a rules-based floor and a process-based safe harbor; none of the existing frameworks for secure software development is sufficiently definitive, but the elements of floor and ceiling are readily at hand.

Section 1 of this paper sets the stage by briefly describing the problem to be solved. Section 2 canvasses the different fields of law (warranty, negligence, products liability, and certification) that could provide a starting point for what would have to be legislative action establishing a system of software liability. The conclusion is that all of these fields would face the same question: How buggy is too buggy? Section 3 explains why existing software development frameworks do not provide a sufficiently definitive basis for legal liability. They focus on process, while a liability regime should begin with a focus on the product—that is, on outcomes. Expanding on the idea of building codes for building code, Section 4 shows some examples of product-focused standards from other fields. Section 5 notes that already there have been definitive expressions of software defects that can be drawn together to form the minimum legal standard of security. It specifically calls out the list of common software weaknesses tracked by the MITRE Corporation under a government contract. Section 6 considers how to define flaws above the minimum floor and how to limit that liability with a safe harbor.

Download the paper here, or read it below:


Jim Dempsey is a lecturer at the UC Berkeley Law School and a senior policy advisor at the Stanford Cyber Policy Center. From 2012-2017, he served as a part-time member of the Privacy and Civil Liberties Oversight Board. He is the author of Cybersecurity Law Fundamentals (IAPP, 2021).

Subscribe to Lawfare