I think if it was in a court of law it'd be quite difficult to prove beyond reasonable doubt that it's malicious unless it was literally something as obvious as `Thread.sleep(5000)` rather than the software just being badly written. I managed to introduce a really annoying and very specific timing issue a few weeks ago completely by accident for example, I reckon the accused would just say 'non-consent is processed differently to consent for $legacy_cruft reasons and it's quite slow, we're incompetent but we're not malicious'.