You are either young or don't know any better. All major companies have bug bounties program and consistently, every few weeks, payout CRITICAL level bounties, as in attacker managed to get full server/access to any account etc. Security breaches are just a matter of time. Who is to blame is debatable, since being a criminal and breaking and stealing (into digital or physical business) is against the law.
The sad fact is that the law in most countries is so toothless (and the law enforcement agencies so far behind) that the legal penalties are mostly just academic.
Bug bounties (and proper education + screening processes for developers) are the most effective way for businesses to prevent security breaches - relying on legal recourse is more of a “shutting the stable door after the horse has bolted” sort of approach.
> Who is to blame is debatable, since being a criminal and breaking and stealing
Not debatable at all - if you get mugged, it’s the criminals fault.
But if you trust your money to a bank, they leave the safe unlocked, and your money is gone, it’s their fault. That literally the whole point of a bank.
Same with your data - when it stolen, it usually the company’s fault - after all if there is no security, sooner or later it will happen.
