Isn't this what the european Cyber Resilience Act (CRA) is about? See https://orcwg.org/cra/ and the work of the Open Regulatory Compliance Working Group in general.

▲

rcxdude 5 days ago | parent [-]

More or less, though the CRA is pretty minimal: it has a few basic requirements and hobby/unpaid open source software is not covered. A company integrating open source software is essentially responsible for covering those requirements themselves.

	▲	jeroenhd 5 days ago \| parent [-]
		The company being responsible for the open source components they integrate should solve the biggest dependency problems, though. From a security perspective, it doesn't really matter if a company fixes the bugs themselves or if they pay someone to fix it for them.