The two members of Congress called on the Commerce Department to investigate risks related to TP-Link routers amid concerns over state-backed Chinese hacking operations.
It discourages self-reporting, makes vendors hostile to security researchers, opens the door to endless litigation over whose component actually “caused” a vulnerability… encourages CYA culture (like following a third-party spec you know is bad rather than making a good first-party one, because it guarantees blame will fall on another party)
In a complex system with tight coupling, failure is normal, so you want to have a good way to monitor and remedy failure rather than trying to prevent 100% of it. The last thing you wanna do is encourage people to be hostile to failure-monitoring.
Why not?
Well…
It discourages self-reporting, makes vendors hostile to security researchers, opens the door to endless litigation over whose component actually “caused” a vulnerability… encourages CYA culture (like following a third-party spec you know is bad rather than making a good first-party one, because it guarantees blame will fall on another party)
In a complex system with tight coupling, failure is normal, so you want to have a good way to monitor and remedy failure rather than trying to prevent 100% of it. The last thing you wanna do is encourage people to be hostile to failure-monitoring.
(See also: Normal Accident theory)