> I prefer incentives that prevent spilling the milk to post-spill arguments about how damaging the spill may have been.

Then what you want is subsidies to audit popular software/hardware for vulnerabilities.

This is a classic high transaction cost tragedy of the commons. The manufacturer has no incentive to make secure devices because customers still buy the insecure ones. Imposing liability is difficult because the issues are highly technical (difficult for judge/jury to understand) and the damages are highly speculative and hard to calculate. Imposing specific security standards is equally problematic because of the same bad interaction between technical complexity and politicians.

But the solutions are known -- it basically just requires money for security hardening. So have the government provide the money. Without specific byzantine standards it allows the job to be done properly, and providing the money removes the incentive to cut corners.

> But the solutions are known -- it basically just requires money for security hardening. So have the government provide the money. Without specific byzantine standards it allows the job to be done properly, and providing the money removes the incentive to cut corners.

If you don't force the audit, why a company would want to take a risk with testing their product? I feel that at best, it'll end up like "quality seals" on food items. Yes, I can draw a quality seal in Photoshop too.

But even if companies would be somehow willing (how, without forcing them?), then you need to ensure the audits are reliable, and prevent companies from creating a fake rubber-stamping auditing entity, and going to market either way. What's the preferred way to accomplish that?

Companies are in a race to the bottom, and they'll do their best to weasel out of "unnecessary" costs.

The point of the audit isn't to get a seal of approval, it's to identify the security problems, which is 97% of the work of fixing them.

There will always be the company which is literally on fire because it's 0.0013% cheaper in the short term, but that's true no matter what you do because that company will be out of business in six months regardless. You can't change their behavior because they're already in the midst of self-destruction by the time you even become aware of their existence.

Any kind of normal company is going to be happy to have a free confidential security audit, and offering that would in practice significantly improve the security of this garbage.

I see your point better now. I'm still not sure if a normal company is really to be going so happy about free audits (due to IP and extra administrative workload). Do we have an existing precedent of something like this working in other industries, or is this something that hasn't been tested before?

It's the same general principle as insurance companies offering no-copay annual medical checkups.

s/milk/oil/, and suddenly your metaphor is an order of magnitude stronger.