Security Quandary: Who’s Liable?. The start of the argument: who should pay for security issues? If they’re the result of an internal misconfiguration then probably the company who configured. If it’s an unknown side-effect of installing software, probably the software manufacturer. Difficult to draw boundaries, though.