Dan Guido

Since contracts are public, if there is a vulnerability in a contract they are the insurance counterparty for, isn't it in their interest to do everything to prevent that vulnerability from being exploited? Imo, seems like a more certain way of avoiding to reimburse losses.

Let's assume it is covered yes, though it seems to me like if it's not covered then they are back to wearing the security auditor hat and putting their reputation at risk for not resolving it.

Security vendors don’t resolve bugs, we advise on risk. It’s the owners perogative to take risks. If a bug is found after they deploy, that’s on the owner, not on me. I would hope our advice helped address that near inevitably, too, so handling it was quick with little impact.

Your doctor can’t control your legs and make you run. It’s not their fault if you don’t listen to every academic study they know could help you. This fantasy that a security vendor is somehow responsible for a client getting hacked is completely wrong.

I've never implied that security auditors are responsible for bugs in the code they audit, but it seems clear to me that an auditor that continually fails to report and disclose vulnerabilities that later get exploited will have a hard time finding new clients.

Maybe, or maybe you only booked 15 minute checkups when you needed a 2hr physical, or you’ve got a rare disease only a special test could find, or new research came out with risk factors no one understood before, or you didn’t like my advice and ignored it, etc.

Contract auditors have more knowledge about the risks of a system than a doctor could ever have about their patients. If their reports omit overflows that get exploited, it's unlikely people will keep using them. Obscure and rare vulns would likely not affect their reputation.