@ncweaver The list of vulnerabilities that should not exist is exactly as long as the complete list of vulnerabilities: none of them should exist, but we need to be careful about how we ascribe liability for them.

It's easy to say things like "buffer overflow errors should not exist," but it's very much harder to actually prevent them (SQL injection attacks, on the other hand, are fairly easy to prevent). And bugs of this kind may already trigger liability (e.g. against websites).

@adrian @ncweaver

Bear in mind: I'm not saying that there might not be some bad practices to be avoided. I am just saying that law should not be what enforces that avoidance because there be dragons.

If the government wants to help promote guidance for better ones to use, or educate on ones to avoid, that is not itself objectionable.

@adrian

The problem is two decades+ of education hasn't worked. These are classes of vulnerabilities that should not exist, and the only hammer left is liability, because every professional knows or should know that these practices are bad.

And yes, C and C++ need to be treated the same way as if you were building car bumpers out of C4 and asbestos: it is straight hazardous.