That's a common suggestion, but since no-one knows how to make completely secure systems yet, I don't think it's that simple.
If you're talking about a general presumption that anyone selling software that has a security vulnerability becomes liable for any consequential losses, then it seems likely to result in only large businesses with the war chest to fight a liability action being able to make any sort of remotely risky software and/or in a new insurance industry popping up so that the problem reduces to money and the cost is ultimately passed on to software users in higher prices. While there might be some pressure to improve security as a result, the negative side effects could be far worse for the software industry as a whole.
The next logical step is some sort of penalty for gross negligence or a repeated pattern of failures, where a supplier making reasonable efforts and following generally good security practices isn't at risk of being sent under instantly because of some new type of 0-day that no-one had seen before. But then you have to figure out what constitutes good practice and paying due care and attention, and that in itself is not an easy issue.
With exemption for those who provide full source code.
I don't see why that should make any difference. Having access to a huge amount of source code is only a benefit for security if you have the skill and resources to perform a detailed audit of your own, and if it's practical to spend that kind of time and money, and if you also have the authority to do something useful about any vulnerabilities you do find.
If someone is giving software away for free as a kind gesture, that's one thing, but I don't see why anyone supplying software on a commercial basis should get out of jail free on security just because they provided source code access. The FOSS world provides ample evidence that many eyes do not, in fact, make all bugs shallow.
> and/or in a new insurance industry popping up so that the problem reduces to money and the cost is ultimately passed on to software users in higher prices
The price of providing a basic level of security should be priced into the product! The fact that someone can go out there and buy an IOT camera that will be used to DDOS my server is a negative externality that constitutes a market failure. I want sketchy IOT manufacturer 32XB123 to be forced to buy liability insurance for that.
The price of providing a basic level of security should be priced into the product!
The question is whether that is all that would be priced in, or whether the insurance industry, given a rich new feeding ground, would charge huge rates for many types of device in case of catastrophic failure.
My car insurance probably costs me several times the value of my car each year, because I am required to have cover for third party losses as well. That remains true even though I've been driving for a long time and never made a claim so far, because in the nature of insurance, they are guarding against the relatively rare possibility of a relatively high payout.
What happens when your $100 office software package now has mandatory insurance in case each installed instance costs the business $200 in lost revenues from downtime after a breach, or $2,000 in average compensation when a vulnerability leads to personal data being illegally disclosed?
A proposal I saw and liked was liability for software vendors based on what they charge for the software, so open source software doesn't have the problem, but people who bundle a load of open source software together, slap a management interface on it and charge loads of cash for that, do.
X writes secure code, Y writes secure code, Z integrates both parts in a secure way. X creates a secure update. X releases an update which makes a race condition with Y leading to elevated privileges possible in Z's product. Who's liable for the issue now?
A hard problem - but what if that race condition kills someone? This used to be theoretical problem - there were not so many systems that could fail in so catastrophic ways - but we are now putting software into everything.
