That being said, security updates shouldbe part of the price you already paid, since a security flaw is a flaw in their original software.

I'm not so sure - it'd be much easier to write the email saying "Sorry, we screwed up and got a critical security but wrong, but here's an update that fixes it." if a significant portion of your users are paying a subscription - compared to writing that same email just as marketing are preparing to try and convince everybody to pay for a new upgrade...

> That being said, security updates should be part of the price you already paid, since a security flaw is a flaw in their original software.

If that was how everything worked - our industry would be _very_ different. If everybody who ever charge money fo a piece of software was on the hook forever for all flaws it might have, you'd only ever be able to buy software from Apple or Oracle or Microsoft - there would need to be almost as any lawyers as developers in any software company.

I understand your idea - but it's the same idea as people who call up my work saying "Hey, the app you made us doesn't work any more, you need to fix it!" and everybody here is like "Who the hell are _they???_ Never even heard of them." and it turns out its a 32 bit iOS app that they paid for in 2013 and we haven't heard from since (and there's only 3 people left in the whole company who were around in '13, and none of them are iOS devs). We do not fix that for them as "part of the price they paid".

Security vulnerabilities generally aren’t considers latent defects under warranty laws (at least not in NA). I’m not sure what the tech world would look like if it were - for one thing, software teams would probably need a P.Eng. on their teams to ship. For another, using open source software would be even harder to do without an intermediary like Red Hat who would be willing to accept tort liability.

At any rate, your software vendor has no legal responsibility to provide you with security updates. Maybe they should. But you’ll pay for that anyways. How do you want to amortize those security updates? By paying the dividend discount price of the updates up front and risk having the product abandoned in a few years (cheating you out of your ‘dividend’), or by paying directly through a subscription?

If you are paying for a subscription there isn’t necessarily an incentive to provide security updates even more, since they have the functionality of your app hostage if you decide to cancel and the automatic monthly billing has no ties to the quantity or wuality of updates they push out.

That makes no sense - you have it completely backwards. Their incentive to provide me with timely security updates is my continued subscription fees. On the other hand, if you pay the dividend discount price for those security updates up front, they have every incentive to stop releasing updates and cheat you out of your update ‘dividend’.

You pay one subscription fee for both "I can use my app at all" and "security updates" together. Once there is enough inertia for you to not want to switch off, you'll probably keep paying (to use the app at all) even if they don't provide security updates.

If there were two fees - #1 a one time lifetime usage fee and #2 a security updates subscription fee then maybe that would make sense, but I don't think so otherwise

Yes, those costs will ultimately be embedded in product pricing and borne by the customer, but that's good. It gives vendors a financial incentive to develop more secure software and reduce their security update costs (and earn more profit). (Nothing is perfectly secure, but a culture change and following certain practices can help. Think Microsoft pre-trustworthy computing memo and Microsoft today.)