How do you reliably (eg legally-definable) differentiate between "stopped supporting" and "haven't released an update in a while because it works fine and there are no major bugs"?
On idea I have heard is that you have to pay $AMOUNT yearly to some registrar to be not subjected to that rule and with that payment you thereby agree to support the product for another year. Stopping to pay means you stop to support it and are therefore required to release the plans. Going bancrupt/out of business does the same.
Turning off the central servers is a big clue ;) Happened to me with a "Kodak" baby monitor. Stll-great hardware left with 10% function.
I accept there is some murky middle-ground so maybe there shouldn't be a start limit. You buy the hardware, you assume the right to alter what it runs (but lose official support thereafter).
When a consumer can point to a major bug or security vulnerability that the manufacturer has not fixed within a reasonable period of time.
That said - I think the above proposal is "release it immediately for the eventuality where they stop supporting it", not "require it be released when they stop supporting it".
I think even defining "major" here is going to be hard. E.g. a lot of CVSS are 8 to 10, because of the _impact_ and now the _exploitability_.
So a very annoying bug that does not have any impact is major, or not major? Like my internet radio sometimes has connectivity issues. It resolves itself, but takes maybe 10-15s. After that, it works fine for a couple of hours of even a day. I wouldn't consider that major, because the product is usable in its intented way, it's just annoying.
I think the court system is generally capable of resolving whether or not a bug makes a product defective. Courts and the legal system are very experienced at dealing with ambiguity.
Absent marketing to the contrary (prior to sale), I would consider a software defined radio that cuts out for 10-15s at a time defective. That out right breaks a lot of use cases. If that's a software (and not instead the result of something like damage to your particular unit) I would expect that to be fixed in a reasonable period of time for a product to be considered supported.
You don't: firmware should always be available. I have too many repairable devices which are actually dead because I can't replace a blown microcontroller since the firmware isn't available.
No one should be under an obligation to offer services at cost. It's not even a meaningful concept: if I say the cost of an hour of my time is $N dollars, well, then it is.