[randoomed]

There needs to be some kind of punishment for failing to take basic security practise into account. A system where a simple disclosure is enough will probably result in company ignoring security, then when there is a problem they disclose and go on without change.

But, it is also important for the fines to be reduced when taking the right steps to improve. Balancing this will probably be quite difficult.

[Buttons840]

Make a law protecting whistleblowers. Include criminal penalties for the worst cases.

What executive is going to brush something under the rug when they know their employees can whistle blow and if so, the executive will go to jail.

[xvector]

Executives can already go to jail for not reporting vulnerabilities. The risk of personal criminal liability is one of the reasons people choose not to move into the Director role, in big tech security careers.

[donalhunt]

They mostly just avoid the countries where they could get arrested in my experience.

[agsnu]

Like the USA?