Bugs! But who should take the blame?

In the 1940s, Grace Hopper, keeper of the mighty Harvard Mark 2, found the cause of its inexplicable breakdown - a moth.

She noted in her log book: "The first case of a bug actually being found."

A bug is a human error - in particular, humans of the developer flavour. And it seems the net is closing in on them. Earlier this month Microsoft pledged to sift through millions of lines of code to weed out these nasty bug things - or rather its developers would.

And today security experts @stake blamed developers, or more specifically development processes, for creating vulnerabilities with catastrophic consequences.

The issue is unquestionably one of responsibility. You don't leave product testing to your customers. You locate the hole before a hacker does it for you - at least that's the theory.

In practice, there's a lot of software out there, shipping with great gaping holes in it. Clearly users need to know as soon as possible that there's a vulnerability but how do you do this and simultaneously manage to keep the information away from those with malicious intent?
Security holes are obviously going to be found by those who do the most looking, and that's often members of that very grey area in cyberland, who find and publish such stuff without actually committing a crime or reporting it to the vendor.

This is one of Microsoft's gripes. Chief security officer Stuart Okin last week told silicon.com: "I believe that no finder of a security flaw should publicise the vulnerability without coming to us first, and giving us a chance to do something about it."

And even if someone with dubious motives doesn't take advantage of a vulnerability there's the confidence cost. Potential customers get the jitters about their personal details and the security of e-payments systems - and they take an understandable step back.

So where does this leave us. According to @stake, the onus is on vendors to sharpen up their development processes to minimises the many 'school kid' errors that seem to creep into their software. Beta testing is all very well, but it's no substitute for making bullet-proof software in the first place.