You wouldn't introduce these fines just like that of course. You would have some reasonable formal procedure. For example, the bug must be documented somewhere (publicly or not), such as in a CVE, and you must been given enough time to fix it.
I think this is absolutely necessary in these days where vulnerable IOT devices are made into botnets, that people are held responsible for neglegience. The damage this can cause is potentially huge.
There should also be a way to punish people if they find a vulnerability internally, and willfully neglect to fix it. The bar for this should be reasonably high, but it is IMHO the same as if a car manufacturer finds a problem with their brakes and ignores it.
Also, there probably would have to be a way for a manufacturer to throw their hands up and say "sorry, we can't fix this" - declaring technical debt bankruptcy. In that case, I think it should not necessarily result in criminal charges, but it must have some consequences. Maybe allowing third parties to take the code and deploy fixes, maybe banning sales, you lose IP, or have to pay a fine.
I think this is absolutely necessary in these days where vulnerable IOT devices are made into botnets, that people are held responsible for neglegience. The damage this can cause is potentially huge.
There should also be a way to punish people if they find a vulnerability internally, and willfully neglect to fix it. The bar for this should be reasonably high, but it is IMHO the same as if a car manufacturer finds a problem with their brakes and ignores it.
Also, there probably would have to be a way for a manufacturer to throw their hands up and say "sorry, we can't fix this" - declaring technical debt bankruptcy. In that case, I think it should not necessarily result in criminal charges, but it must have some consequences. Maybe allowing third parties to take the code and deploy fixes, maybe banning sales, you lose IP, or have to pay a fine.