unless the engineer was provably malicious wouldn't it be responsibility of the product owner? Ownership usually entails accountability, they could order proper QA?