[felixrieseberg]

You seem to misunderstand the original request _and_ the proposal. We so far only have the CCC's request, no further details are known.

If you go by the proposal, FOSS and Open Source is out of scope. In the case of Log4j, companies knowingly selling software that contains in insecure version of Log4j now need to own that defect.

[tasubotadas]

What if they claim that they don't know? You know... haven't got the memo.

[einherjae]

Not sure if you’re already trying to make a joke, but there’s a word for that, isn’t there? Negligence.

Doesn’t help your local restaurant if they didn’t get the memo about the poisonous scallops, particularly if there existed a regular scallop-poison-level newsletter they could check.

[Flocular]

that could still be considered negligent, if it has a CVE and you're using it, you gotta know about it