As a fellow European I think this fight back rhetoric is pretty stupid. Instead of amassing 0days by the military and the secret services while gaining us, the population, zero benefits for the millions spent (because we will still get hacked, regardless of the number of 0days hoarded), why not invest all these ressources into securing our broken software infrastructure? Forcing companies to fix their shit?
That would actually help against foreign hackers while also helping the actual population.
How do you force a company who uses OSS to fix the vulnerability? Do you hold the company or the OSS organization accountable? Who do you fine? Both?
I use OSS all the time but I am not capable of fixing a lot of it. I’d just use something else. Companies will just buy closed software instead from companies who will do the support and fixing for them. “It’s closed source we can’t fix it.”
We are talking about hundreds of millions of Euros here. The resources are there, just used for propping up prices in the black market instead of securing the software. The EU could pay a bunch of security researchers to review open source software (analog to e.g. Googles project zero). Or implement bug bounty programs for the most used open source software.
In general, though, I think the company using the software should be held liable. Almost every OSS license explicitly disclaims warranty and liability. That means the company has to provide this if it wishes to use the OS software.
> EU could pay a bunch of security researchers to review open source software (analog to e.g. Googles project zero). Or implement bug bounty programs for the most used open source software.
That would actually help against foreign hackers while also helping the actual population.