> How about a simple "devices selling in excess of 500 units must have security devices updates provided for four years from the first date of sale"? Legislation doesn't have to be onerous.
Even this is problematic, you still generate the a large incentive for the manufacturer to prevent reverse engineering of the device. If no one can find the exploits because the vulnerable firmware is not readable, the drivers are heavily obfuscated, etc, then they don't have to provide any updates and only dedicated actors with access to funds will have any chance at success.
In order to prevent this you may have to make the legislation _more_ onerous and require the manufacturer releases to the owners the ability to sign updates and reverse engineer the device. Something like this needs very careful consideration not to create perverse incentives and to maintain competition and pricing.
Even this is problematic, you still generate the a large incentive for the manufacturer to prevent reverse engineering of the device. If no one can find the exploits because the vulnerable firmware is not readable, the drivers are heavily obfuscated, etc, then they don't have to provide any updates and only dedicated actors with access to funds will have any chance at success.
In order to prevent this you may have to make the legislation _more_ onerous and require the manufacturer releases to the owners the ability to sign updates and reverse engineer the device. Something like this needs very careful consideration not to create perverse incentives and to maintain competition and pricing.