"I skimmed the CVE. There's no mention of UEFI or BIOS."

Don't assume that the description is complete. Vendors often omit significant details from CVE descriptions.

A few comments:

1. Everything of any complexity, including security software, has security issues.

2. We have no idea if this issue was caused by negligence or not. Not hard to believe that it was, but we don't know.

3. You can introduce liability and it should be in some form (coming to the EU with an updated PLD, might eventually reach the US, it's in the admin's Cyber Security Strategy not that I expect a Republican Congress to do anything about it) but... it would result in a) increased product cost to purchasers and b) fewer features. Doesn't mean that it shouldn't be done, just saying that people often don't realize that improved security has negative impacts in other areas.

It's not. It's impossible to develop 100% vulnerable free software today in any sort of cost effective manner. It would kill software sales (and art least commercial development) in the EU. It would also force users to keep on using old vulnerable software because vendors wouldn't sell them upgrades. I'm hopeful that the EU Commission isn't dumb enough to go that route.

The CRA recognizes this and just requires that vendors provide security updates "without delay." That's not a great approach as it doesn't do much to encourage vendors to not create fewer vulnerabilities to begin with, but it's better than having a vendor be liable for every vulnerability in their software without regarding to how it got there.

> I think you're saying merely having a vulnerability shouldn't be the trigger for enforcement.

I am. No software vendor would sell in the EU if that happened. Imagine Microsoft, with dozens if not hundreds of vulnerabilities fixed every month, couldn't afford the liability in that situation. Same thing with Oracle and other literally every other vendor. Either that or software that cost hundreds of dollars today would cost hundreds of thousands of dollars (or whatever currency) in the future, pricing pretty much everyone out of buying software.

This is one case where the US actually has a better vision (a rarity I know), where there's a reasonable safe harbor where if you securely develop your software and can show that then you won't be held liable for vulnerabilities.

The requirements of the CRA are going to make proprietary software more secure and safer, but but probably more expensive as well (keeping in mind we've only seen a draft of the text, not the final text).

The PLU is much earlier in its process than the CRA and thus the eventual requirements are very uncertain. There's at least three different possible standards that could come out based on the initial document (which isn't even a draft, more just a statement of intentions). However, one of those standards is that all vulnerabilities are defects and if a vendor can be held liable for any defect then that's going to make software very expensive. On the other hand, if they keep with current legislation that requires damages that wouldn't be so bad.

Either way, if open source isn't exempted from these laws, at least when distributed by not for profit entities, expect a lot of open source to disappear from the Internet.

Pretty sure they wouldn't have. It just would have invited additional retaliation that would have been entirely legal.

Has long been generally considered a bad thing, given that why do companies still do it?

If the Gulf Stream shuts down, which would cause much lower temperatures in Europe, this might help counterbalance that.

If a company isn't rewarded for providing better security (or punished for a lack of security) then security will get very little attention. It's created a market for lemons. See https://en.wikipedia.org/wiki/...

You ever take a look at how many vulns Red Hat doesn't fix or doesn't fix quickly???

If they don't know the data sources or the data flows there's no way they can reliably claim they comply with any privacy standards unless they don't collect the private data - and we all know that they do.

Well, they merge to increase profitability. Part of how they do that is by becoming "more efficient", which always results in reduced head count.

Cloud can indeed be more secure, especially for small firms, but I'd hope that wouldn't be true for a company like FedEx.

It's "irrelevant", but then you go on to explain why it's not. lol

Rightly or wrongly, in the US you have no privacy rights in data voluntarily given to a third party, at least under current federal law. I don't see Congress changing that and it's damn sure that the current SCOTUS won't change that.