[paulmd]

This proposal doesn't demand preemptively bug-free software, it demands that commercial software fix identified security issues within a reasonable timeframe, and establish a defined support window in which it will be expected to do so.

This is exactly the proposal that comes up every time HN discusses things like routers and IOT, which are frequently abandoned without updates despite critical known security issues. Well, now you know when you buy it that "updates will be provided through 2024". If the vendor fails to provide support through that date, the customers will have a claim against the vendor (i.e. it's not a situation of government enforcement, it's between you the customer and the vendor).

And again, the problem is, this is a tragedy of the commons situation. Bad actors who don't provide security updates provide fodder for botnets to attack the rest of us. At some point it becomes necessary to address that, and the way you do that is a measure like this one, to transfer liability to corporations who are "dumping waste" to avoid the cost of proper "software handling".

(also, the easy answer is - open source your software and it won't be an issue! that hypothetical router that a company now has to provide with security updates? just release your router with official DD-WRT/OpenWrt/Tomato support and 95% of your workload goes away.)

The CCC is in favor, and they're not exactly computer-illiterate nobodies, or against innovation in software. Something really has to be done about software quality, or the Internet Of Shit is going to ruin the internet for good.