Complacency Creates Vicious Cycle of Software Bugs

The Instant Poll in the July 11 SQL Server Magazine UPDATE posed the question, "Do you think Microsoft should be held financially liable for defective software?" The poll received 897 responses, 53 percent of which were "Yes." (To see the poll results, click here.)

I'd like to expand the discussion about defective software to include all software vendors. It's easy and politically correct to poke fun at Microsoft, but the problem of excessive bugs in commercial software cuts across all layers of the software business.

Stamping out every bug in every software program before release might be impossible. I don't believe that the industry should hold software vendors accountable for every bug in their products. However, software consumers have let the quality bar drop precipitously low. Consumers and programmers alike are conditioned to accept a certain number of bugs. This complacency has created a vicious cycle over time. Programmers learn that consumers will accept bugs and that they can defer bug fixes to the next release. Consumers accept that bugs are unavoidable and simply learn to deal with them. Every year, the problem gets a little worse. How can the industry stop the software bug cycle?

Forcing vendors to accept financial responsibility for every bug is a foolish idea. Lawyers will make a ton of money, but consumers will be hurt. Software vendors will resort to charging exorbitant prices to cover the new liability insurance they'll need. Development life cycles will drag on, and we'll wait painfully long periods of time for new software products.

I believe that continuing to accept software bugs will lead to further downward spirals of quality levels in the software industry. I don't expect bridges to fall down from engineering mistakes, and I'm sure that the world's leading software vendors can produce software with fewer bugs, even if they can't entirely eliminate coding mistakes.

You might not know that most major software companies (Microsoft included) ship products with known bugs in them. Product development teams set Quality Assurance (QA) thresholds and prioritize the severity of software bugs. The product ships when the number of severe bugs is low enough that the vendor decides the software is safe to use. (This description oversimplifies the product development life cycle, but it's fairly accurate.) I don't think this approach is horribly flawed, but I'm infuriated that software companies don't publish known defects when the product ships. Most software vendors will triage their products, decide that the quality level is good enough, and ship the product. But vendors typically don't tell customers about all the known defects when the product ships.

I think that the general quality level of software would increase immediately and continue to increase over time if a law forced vendors to publicize all known defects when products ship and to periodically publish updated defect lists as developers or users find new bugs. These lists need to include bug reports from consumers after the vendor's QA team has verified the reports.

Won't vendors cheat? Won't they try to hide defects? I have two answers to those questions. First, a new consumer watchdog agency--let's call it Software Defect Report--could act as a clearinghouse for the public to post defect reports. The clearinghouse could work with the software vendor to validate bugs and wouldn't release dangerous information (such as a security vulnerability) until the vendor has time to respond. Second, and most important, feed software vendors to the sharks if they're caught suppressing defect reports. Protect the vendors from liability for known bugs, but sic the lawyers on them when they suppress bugs.

Wouldn't the software world be a better place if consumers could make informed decisions about purchasing a product after reviewing the bug list? Don't you think vendors would change their QA triage processes if their dirty laundry were on display for the world to see? Tell me what you think by sending your comments to [email protected].

P.S. Thanks to Mike McGuire for his interesting dialogue with me about software defects.