You’re absolutely correct that compliance does NOT amount to a particular product from an IT vendor. NetApp works very closely with partner HW & SW vendors in the compliance ecosystem to help customers assemble a compliant solution according to their needs.

Now regarding the WORM product characteristics you cite above, let me help add some context. Unlike a fixed-size WORM optical platter or tape, NetApp SnapLock is specifically designed to let customers flexibly add or append data at will, with full logging of all activity. The idea is to make existing committed data immutable, but not the entire volume before it’s full.

Also, physical media control always trumps all. Much like you can reformat NetApp disks, you can also scratch a WORM platter or toss a WORM tape into a river. They key requirement for a compliant system is merely to make the users and admins concretely and securely aware that the physical media breach has occurred. In that sense we are data security guards, not bodyguards

So - there’s nothing to wonder about bugs here.
Whenever a piece of software is used to turn a random-access read-write device (hdd) into some kind of “WORM” - it’s the software which does this - and software will always contain bugs …

OTOH - all this “compliance” talk is missing a fundamental issue:
“Compliance” or “Archiving” is not simply a “boxed” product.
(it’s not just “buy it and become compliant”)
It’s complete process, which your company has to implement.
The gear you buy is just a part of this overall process.
If you don’t have a defined process - you have no compliance - regardless how much boxes you buy from whatever vendor …