I'm in a similar situation to Olle.
My sense is that OSS contributors are not liable for the fixes we do for the community, but we are liable to our own clients for whom we are manufacturers.
To the extent that there are (lots of) OSS projects without stewards, I'm unclear what the methods are for them to get or produce attestations that the software they are publishing is developed in a secure fashion. Are there (perverse) incentives for these projects to not create an attestation as they would accrue liability if an incident occur that led to damages? For example, my understanding is that in the case of leakage of PII, a common method to mitigate the damage is to provide packages costing about USD$180 each to users to help them prevent identity theft.
Joe Murray, PhD (he/him)
President, JMA Consulting
416.466.1281
We respectfully acknowledge the autonomy of Indigenous peoples, and that JMA Consulting is located on the traditional territory of many nations including the Mississaugas of the Credit, the Anishnabeg, the Chippewa, the Haudenosaunee and the Wendat peoples which is now home to many diverse First Nations, Inuit and Métis peoples. We also acknowledge that Toronto is covered by Treaty 13 with the Mississaugas of the Credit.