I hear what you're saying and I agree, but it's perhaps too black and white.
Let's take one of the most disastrous bugs in recent history: meltdown.
Speculative execution attacks inside the CPU. This required (in Paul Turners words): putting a warehouse of trampolines around an overly energetic 7-year old.
This, understandably took a lot of time, both for microcode and OS vendors.. it took even longer to fix it in silicone.
Not everyone is running SaaS that can deploy silently, or runs a patch cadence that can be triggered in minutes.
I work in AAA games and I'm biased, we have to pass special certifications to release patches, if your publisher has good relations, waiting for CERT by itself (after you have a validated fix) is 2 weeks.
Spectre/Meltdown is the perfect example of a vendor, Intel and AMD, deflecting blame onto the OS and software producers, successfully avoiding a recall, avoiding refunds for decreased performance and avoiding most of the blame.
What actually should have happened there is a full recall of all affected hardware. Microcode fixes and payments for lost performance in the mean time, until the new hardware arrives.
Meltdown was a desaster, but not only because the bugs themselves were bad. But also especially because we let Intel and AMD get away scott free.
There is no world in which a recall (and/or a refund) is ever possible.
Until it is demonstrated that such flaws are a life and death fault, no regulation is possible for such flaws (unlike cars - which do have such recalls for faults that have life and death implications).
> waiting for CERT by itself (after you have a validated fix) is 2 weeks
If the industry practice would be few days to disclosure just maybe those practices might change or maybe there would be a (extra paid) option to skip the line for urgent stuff.
Let's take one of the most disastrous bugs in recent history: meltdown.
Speculative execution attacks inside the CPU. This required (in Paul Turners words): putting a warehouse of trampolines around an overly energetic 7-year old.
This, understandably took a lot of time, both for microcode and OS vendors.. it took even longer to fix it in silicone.
Not everyone is running SaaS that can deploy silently, or runs a patch cadence that can be triggered in minutes.
I work in AAA games and I'm biased, we have to pass special certifications to release patches, if your publisher has good relations, waiting for CERT by itself (after you have a validated fix) is 2 weeks.