Who is legally responsible for XSS vulnerabilities?

[NotionCommotion]

1. Domain name registrar?

The prime web designer if there was a flaw anywhere in the application?

A sub web designer if they were responsible for the flaw?

The entity who issued the domain name?

The individual who maintains the site?

The VPS service provider?

The browser client vendor?

The victim?

The CMS vendor if they allow the site owners to post JavaScript?

The CMS vendor if there is a flaw in a plug-in?

A web designer who uses a framework or CMS backbone which contains a flaw?

The search engine provider who provided a link to the malicious site?

The individual that posted the malicious content?

Someone else?

[fastsol]

In my opinion, whoever built the code that lead to the vulnerability.  So just because a web designer used a third party script, they shouldn't be held responsible for the issue if the issue lies in the third party script.

[Strider64]

Well if a company's website is hacked, it's isn't the web developer who takes the blame in the eyes of the public,  it's the company. Though the company that is taking the blame isn't going to give the web developer a free pass and just let it slide by without taking a hit. So it should be the web developer, but a web designer might get thrown under the bus if the company doesn't distinguish between developer and designer. Though I think that is highly unlikely for most companies are smart enough to realize it's the coding that causes the problems. So my answer is who ever developed the script is the party at fault.  However, the company that gets hacked isn't going to be very pleased with anyone that had anything to do with the website. 

[NotionCommotion]

If the 3rd party script is known to have vulnerabilities, would expect the developer has some responsibility.

 

Agree I should have used the word "developer" and not "designer".

 

My scenario is whether a developer has to take measure to prevent presumably authorized users from misusing the application.  Specifically, Bob is responsible for all content on bob.sites.example.com and Mary is responsible for all content on mary.sites.example.com.  If I allow them to include JavaScript in the content, they can easily implement XSS.  My belief is that allowing them to do so is acceptable provided the terms and conditions prohibit them from using the application other than what it was intended for.

 

I do feel it is an interesting topic, and hope to hear other opinions.

 

Thank you

[QuickOldCar]

I'm in no way a lawyer and even a lawyers advice in a forum wouldn't have much merit, if went to court all would be determined there.

 

It's usually anyone and everyone a party can blame and the lucky ones are those who can afford to get out of it or pass the blame and someone else accepts it.

 

It's not even so much money but a reputation can be at stake.

 

In my eyes if you clearly define in a TOS and also take actions against such wrongful person you should be exempt from blame.

"...and any illegal or malicious activity" is a broad scope

Edited July 26, 2015 by QuickOldCar

[Barand]

If a burglar breaks into my house, don't send him to prison; send the guy who originally built the house.

[NotionCommotion]

If a burglar breaks into my house, don't send him to prison; send the guy who originally built the house.

 

Or maybe the guy who sold the ladder that was used to build the house.