US senators proposed bipartisan (yes, it’s still possible!) legislation to improve cyber security of IoT devices, the Internet of Things Cyber Security Improvement Act of 2017. Vendors selling Internet-connected devices to the federal goverment must ensure that their devices are patchable, rely on standard network protocols, do not use hard-coded passwords, and do not contain any known security vulnerabilities.
Paragraph (C) on page 8 spells out that every contract between federal agencies and vendors must contain a
[…] clause that requires such Internet-connected device software or firmware component to be updated or replaced […] in a manner that allows for any future security vulnerability or defect in any part of the software to be patched in order to fix or remove a vulnerability or defect in the software or firmware component in a properly authenticated and secure manner.
Every software under LGPLv3 license would satisfy this patchability requirement by default. LGPLv3 requires that software under LGPLv3 can be replaced by a modified version of the software on this device.
The proposed bill falls short of requiring patchability for all Internet-connected devices, not just the ones sold to federal agencies. This would include smart home devices, toys, set-top boxes, TVs, cars and all other consumer devices.