Really? I don’t think this is at all similar to a car safety recall. That’s more like trying to issue a recall for a car because people can smash it’s windows and break in.
yeah of course it's an analogy. But by adding liability we'll get more recalls (patches) done. Vendors will stop playing FUD and will focus on the real cost of their security flaws.
And yes some will still not do patches, just like some car vendors are considered less trustworthy.
But at least the risk of suit will loom over their heads.
But the parent's point is that's still putting the liability on the vendor rather than the actual criminal. Perhaps it's more like if a car is sold without an immobilizer or an alarm, holding the manufacturer liable if it's stolen. But if that kind of fails, because it's pretty simple to mandate a handful of security additions to cars, whereas software is orders of magnitude more varied and complex. It would be hard for any vendor, let alone small companies, to prove they'd followed every conceivable best practice. Might even be impossible, as some likely conflict. And if you try to codify exactly what security practices should be followed, what do you do when those practices become obsolete?
Yeah, I think it's just a fault in the analogy and in part demonstrating why reason from analogy is faulty.
My point is this If vendors were liable (at least in part) for security faults in their products, then they would be more diligent about closing those gaps.
Yeah, and in principle I agree. It's just tough to imagine how exactly you'd regulate that in practice without doing a lot of unintended harm along the way, especially to (potential) small vendors.
But at least the risk of suit will loom over their heads.