In the case of danger/damage to human lives a la direct physical injury, there should be a much higher standard.

It is why there exists murder in the first, second, or third degree; with very different punishments.

There is a 'minimum standard' that must always be followed.

I guess you will disagree, but to compare a programming design error in an antivirus product to the Therac incident falls outside normal deterministic logic, and would make actually my point. As someone who has made software for many years, it is not reasonable to expect a Therac or NASA level of diligence.

This is what courts have upheld as well.

Agreed. In some jurisdictions, people rely on security software to keep them from being identified, and then tortured and/or killed by their governments.

If a given piece of security software that claims to protect its users instead makes them substantially more vulnerable to attacks that would reveal information stored on their machines and/or permit the attacker to install arbitrary software of their own choosing, that is both a breach of trust and -in some jurisdictions- tantamount to handing that user over to the jurisdiction's Inquisitors.

> This is what courts have upheld as well.

Courts have repeatedly upheld that members of the American public don't have standing to challenge the NSA's dragnet domestic surveillance program. While the notion of standing has great value in helping to prevent groundless suits from wasting everyone's time and money, [0] it's pretty clear that the courts

* Are slow to adapt to rapid changes in the nature of the activities they're supposed to adjudicate

* _Often_ fail to be as infallible as they wish they were

While it may not be illegal to be an incompetent security software vendor in America, I -and many others [1] in the industry- think it's entirely reasonable to name, shame, and disparage companies that deem it acceptable to ship "security software" that contains vulnerabilities that anyone with a year of relevant experience [2] under their belt would be able to spot and fix.

> ...it is not reasonable to expect a Therac or NASA level of diligence.

While it would be ideal for security software companies to adopt avionics-software-style design and QA procedures, the errors found by Ormandy are things that would have been obvious to anyone with more than a year in the industry... It's obvious to anyone who reads that bug report that Trend Micro couldn't be arsed to do the industry-standard level of QA and have one of their mid-level guys spend a couple of hours reviewing this part of their consumer-level security software.

While Trend Micro might not be legally liable for it, that's still negligence.

[0] Yes. I'm very aware that court is expensive, slow, and often used as a cudgel against regular folks by people who have rather deep pockets. The requirement to prove standing likely prevents far more nuisance suits than it kills suits that should be heard and judged.

[1] Frankly, I hope that most folks in this business hold this opinion.

[2] In this case, web development experience.