[gpm]

When a consumer can point to a major bug or security vulnerability that the manufacturer has not fixed within a reasonable period of time.

That said - I think the above proposal is "release it immediately for the eventuality where they stop supporting it", not "require it be released when they stop supporting it".

[chrisandchris]

I think even defining "major" here is going to be hard. E.g. a lot of CVSS are 8 to 10, because of the _impact_ and now the _exploitability_.

So a very annoying bug that does not have any impact is major, or not major? Like my internet radio sometimes has connectivity issues. It resolves itself, but takes maybe 10-15s. After that, it works fine for a couple of hours of even a day. I wouldn't consider that major, because the product is usable in its intented way, it's just annoying.

[gpm]

I think the court system is generally capable of resolving whether or not a bug makes a product defective. Courts and the legal system are very experienced at dealing with ambiguity.

Absent marketing to the contrary (prior to sale), I would consider a software defined radio that cuts out for 10-15s at a time defective. That out right breaks a lot of use cases. If that's a software (and not instead the result of something like damage to your particular unit) I would expect that to be fixed in a reasonable period of time for a product to be considered supported.