Regarding 1 and 2, my pity is mild if this requirement forced companies to follow principles of secure software development, configuration and deployment. Injecting stuff from deployment config is not hard.
3 is valid and can be tricky, as it would depend on when in the software lifecycle the release would be mandatory. If it's in a wind-down or bankruptcy situation, it would be tricky. Though that discussion is similar to the responsible disclosure discussion, isn't it? Exploiters usually already know them.
alt Hacker News
Regarding 1 and 2, my pity is mild if this requirement forced companies to follow principles of secure software development, configuration and deployment. Injecting stuff from deployment config is not hard.
3 is valid and can be tricky, as it would depend on when in the software lifecycle the release would be mandatory. If it's in a wind-down or bankruptcy situation, it would be tricky. Though that discussion is similar to the responsible disclosure discussion, isn't it? Exploiters usually already know them.