I’m putting together a presentation for my colleagues and came up with a few scenarios and want to make sure I’m correct with the risk based on how the license reads. Is there anyone well-versed in the realm of licensing that could make sure I understand and assess the risk correctly?
These are the two scenarios I’ve come up with:
Scenario One:
As a developer, you have implemented a module that helps diagnose a patient. In an error, you included logic that will misdiagnose a patient. Because of this error, a patient was misdiagnosed and the medical facility says your code is to blame. Both the medical facility and the patient want to sue.
So in this scenario, since the MPLv2 is used, Section 7’s “Limitation of Liability” has a liability limitation where the creators are liable in the case of death or injury. However, the Health Care Addendum removes the liability for death and injury but does not erase Section 7 so then would that make us still liable?
Scenario 2:
As a developer, you have created a search option in the Patient Module only available for Administrators. Unfortunately this logic has introduced a Cross-Site Scripting (Injecting a Client-Side Script into a Web Page) vulnerability and privilege escalation to OpenMRS. A malicious actor has discovered this and dumped the patient database and is now threatening to leak it if the medical facility doesn’t provide payment for it.
In this scenario, since we are providing software “as is”, we would not be liable for any damages incurred.
Would I be correct in the understanding of these two scenarios? Any help would be appreciated.