Liability as a Drupal Developer

We encourage users to post events happening in the community to the community events group on https://www.drupal.org.
ddease2's picture

Good day, all:

My company has been a provider of "traditional" software development for the past 30 years. However, Drupal development - or any other CMS work - has not been a focus of the company, despite the fact that we have extensive coding resources both in-house and out, we manage a significant array of servers in our Orlando data center, and we have a number of local clients (potential Drupal prospects) to whom we provide IT support services.

I joined the company in 2013 to market and develop new business. To accomplish this I'm developing a proposal to management that includes scoping out what being a "Drupal Development" house entails.

The question of liability has arisen from management. Having operated as a one-man show in the past, I'll admit this is not an area that I'm well versed in. So, I'm looking to you - my fellow Drupal community - to share your thoughts on the subject.

To initiate the conversation, here are a few starter questions:

1) In the event of a compromise to a site that you (or your company) has developed, what liability do you assume?

2) Do you have limits of your liability stated in your development agreements/contracts?

3) Do you consciously refrain from hosting the sites you develop in order to remove yourself specifically from "server-related" vulnerabilities and compromises?

4) If you answered "no" to #3, do you host your sites on platforms that (I assume) take responsibility for server-related security, such as Acquia, Pantheon, etc?

5) For Drupal-related vulnerabilities, how do you address your liability as it relates to "core-code" security issues or issues that have resulted in your custom module work?

6) What type of security/maintenance/support "plan(s)" do you offer your web development clients? Have you found them to be well-received and amicable?

Please feel free to add your insights and opinions. If I have missed a valuable topic, please feel free to add it.

Thank you!

Dan Dease

Comments

1) In the event of a

DigitalFrontiersMedia's picture

1) In the event of a compromise to a site that you (or your company) has developed, what liability do you assume?
If we host and maintain, then we're typically running all the latest security updates and patches so there shouldn't be any breaches. And if there are, we've already done reasonable due diligence to try to prevent it. And in doing so, it's hard to make a case for negligence in order to assign liability. But that's what general business liability insurers are paid to work out.

2) Do you have limits of your liability stated in your development agreements/contracts?
We obviously state that we can't be held responsible for deficiencies in third-party software, etc. which is out of our control yet may affect the operation of the product. General business liability insurance levels are provided where required by contract.

3) Do you consciously refrain from hosting the sites you develop in order to remove yourself specifically from "server-related" vulnerabilities and compromises?
Actually, we find it neater and cleaner to actually do the hosting so that we know EXACTLY what is running so there is no question later of who is to blame for what in the event of an incident. And this helps delineate the app-server interface by knowing what is running on each side and where the fault may have been.

4) If you answered "no" to #3, do you host your sites on platforms that (I assume) take responsibility for server-related security, such as Acquia, Pantheon, etc?
We have typically used managed or at least partly-managed web hosts where we either have root or near-root access to be able to do our own management where needed on a case-by-case basis. If you're not using a larger host like Acquia or Pantheon, there are small to mid-size vendors out there that are happy to be more of a partner than just a "vendor".

5) For Drupal-related vulnerabilities, how do you address your liability as it relates to "core-code" security issues or issues that have resulted in your custom module work?
Contractually, we never assume liability for Core or other third-party issues. Custom modules, that's a different story, and one that I, happily, have not yet had to work out.

6) What type of security/maintenance/support "plan(s)" do you offer your web development clients? Have you found them to be well-received and amicable?
We have maintenance and support in blocks of time each month with the minimum block of time covering all security and other updates to Core and contrib automatically. So if a client just gets the minimum support/maintenance, their site is always updated.

Hope that helps.

Great Feedback!

ddease2's picture

Very informative. Thanks!

"...So if a client just gets the minimum support/maintenance, their site is always updated."

Are support/maintenance contracts mandatory for your clients?

We deal with this on the "other side of the house" regarding our supported clients. We have a few that have refused support contracts, specifically backup services. Ironically (or maybe not so much) they are the ones who do not adhere to our security policies, which has resulted in us having to assist them in data recovery. These instances have a) cost us time, and b) resulted in us to charging them more to restore their environments..."an ounce of prevention" as they say.

My point is, we have moved towards a zero tolerance policy with such clients, as they typically refuse to embrace or acknowledge the bigger "security" picture. We are leaning towards adopting this same attitude for CMS-related clients. Is this thinking sound in the Drupal hosting space?

Again, thanks for your feedback!

Dan Dease


ddease2 - Skype
@ddease2 - Twitter
/dandease - Facebook
/in/dandease - LinkedIn

Support/maintenance contracts

joshicsin's picture

Support/maintenance contracts are not mandatory but that helps the site being in good state, hack free all the time. Not all clients are serious about this. They call you when they are in trouble. I would rather say, they are short sighted and want to save few bucks.

Other than this, I completely agree with DigitalFrontiersMedia. A zero tolerance policy is required for all the clients.

Regards.

JoshicsIN

skype: info.joshics
Twitter: joshicsin
Facebook: joshicsin
Web: http://joshics.in

Consulting and Business

Group notifications

This group offers an RSS feed. Or subscribe to these personalized, sitewide feeds:

Hot content this week