The problem with this law is that unless the organisation is fully decentralised, it will be considered for profit and thus need to abide by all this.
It also means that companies will be reluctant to allow their employees to contribute to software as that would practically force the maintainers to abide by this which costs a lot.
It also sets impossible standards like “must shop code that doesn’t have vulnerabilities”.
And screws the process of dealing with exploits. Instead of informing ahead of time the authors and getting them fixed, then after 3 months issuing an announcement, you first need to inform a public organisation within hours of finding the exploit and then get the organisation to fix the bug again within hours.
It also means that companies will be reluctant to allow their employees to contribute to software as that would practically force the maintainers to abide by this which costs a lot.
It also sets impossible standards like “must shop code that doesn’t have vulnerabilities”.
And screws the process of dealing with exploits. Instead of informing ahead of time the authors and getting them fixed, then after 3 months issuing an announcement, you first need to inform a public organisation within hours of finding the exploit and then get the organisation to fix the bug again within hours.