brotherhood_of_LAN - 2:33 pm on Jun 13, 2011 (gmt 0)

I am not a lawyer, etc, I think it really comes down to the wording of your working agreement with your developers.

From the moral standpoint? Successful SQL injections are the fault of the developers. Good code is not vulnerable to web-based SQL injections.