Harms arising from cybersecurity flaws.

Who is responsible when a cyber incident happens? Software liability describes the attempt to codify a legal standard for when a company or vendor of software might be liable to their customers or users for harms arising from cybersecurity flaws. Setting the standards around liability and designing a regime flexible enough to accommodate the astonishing diversity of software components and products and a range of stakeholders from open source developers to cyber insurers poses a daunting task for policymakers.


The Atlantic Council’s Cyber Statecraft Initiative, under the Digital Forensic Research Lab (DFRLab), works at the nexus of geopolitics and cybersecurity to craft strategies to help shape the conduct of statecraft and to better inform and secure users of technology.

Software Liability

Tue, Jan 16, 2024

Design Questions in the Software Liability Debate

Software liability—resurgent in the policy debate since its mention in the 2023 US National Cybersecurity Strategy—describes varied potential structures to create legal accountability for vendors of insecure software. This report identifies key design questions for such regimes and tracks their discussion through the decades-long history of the debate.

by Maia Hamin, Sara Ann Brackett, and Trey Herr, with Andy Kotz

Cybersecurity Software Liability

Wed, Jul 19, 2023

Why Do SBOM Haters Hate? Or Why Trade Associations Say the Darndest Things

SBOMs are an important step forward for software supply chain security, so despite pushback and opposition, industry and government should take a page out of Taylor Swift’s book and just keep cruisin’, don’t let SBOM haters get in the way. 

by John Speed Meyers, Sara Ann Brackett, and Trey Herr

Cybersecurity Software Liability