[pjmlp]

Fully behind it, even a little corner shop is liable for what they produce, why should software companies be special snowflakes.

If this kind of regulation is the only way to make security part of the development process and chosen tooling and not am afterthought, so be it.

[protomyth]

Because you aren't paying for that level of software. NASA paid $1,000 per line of code for the shuttle's avionics software[1] to get it as bug free as possible. If you want that level of perfection, then you won't be getting current commercial software prices.

1) https://history.nasa.gov/sts1/pages/computer.html

[paulmd]

This proposal doesn't demand preemptively bug-free software, it demands that commercial software fix identified security issues within a reasonable timeframe, and establish a defined support window in which it will be expected to do so.

This is exactly the proposal that comes up every time HN discusses things like routers and IOT, which are frequently abandoned without updates despite critical known security issues. Well, now you know when you buy it that "updates will be provided through 2024". If the vendor fails to provide support through that date, the customers will have a claim against the vendor (i.e. it's not a situation of government enforcement, it's between you the customer and the vendor).

And again, the problem is, this is a tragedy of the commons situation. Bad actors who don't provide security updates provide fodder for botnets to attack the rest of us. At some point it becomes necessary to address that, and the way you do that is a measure like this one, to transfer liability to corporations who are "dumping waste" to avoid the cost of proper "software handling".

(also, the easy answer is - open source your software and it won't be an issue! that hypothetical router that a company now has to provide with security updates? just release your router with official DD-WRT/OpenWrt/Tomato support and 95% of your workload goes away.)

The CCC is in favor, and they're not exactly computer-illiterate nobodies, or against innovation in software. Something really has to be done about software quality, or the Internet Of Shit is going to ruin the internet for good.

[vorpalhex]

This doesn't seem to cover novel attacks, just applying basic security patches for a stated lifetime. If that lifetime is "six months" then you have to state that.

If that means we can't buy insecure IoT lightbulbs with no tls, no authentication and no sha checking for under $10, I guess we'll just have to live with it.

[pjmlp]

Plain FUD, every kind of business is subject to liability doesn't matter the size, and they manage to keep the doors open, including the junk food joint down the street corner.

[turminal]

Lack of incentive contributes a great deal to lack of quality. If the company knows they are going to lose money if they are careless, they'll be less careless. Way too many bugs and security vulnerabilities are consequences of nothing but carelessness and companies thinking they can't be held accountable of anything.