While I *mostly* agree with this, the idea that something being open-source means you don’t owe anybody anything, isn’t quite right. Open-source or not, you are *not* exempt from ‘good citizenship’.

Let me give a (non-technical) example. Say you liked animals, and you liked your hometown enough to invest money into building a public zoo, at no benefit to yourself. This is a great idea, of course, and people can’t really expect you to add their favourite animals — you don’t owe them any such thing.

But let’s say that instead of building a zoo, you released a lion in the streets, with the idea that people could be “closer to nature”. This has the best of intentions, but it is *immensely* dangerous to other people in that town, and will likely affect their safety. Even though the lion was your gift, that does not free you from the responsibility to keep from doing others harm.

The same applies for software. Especially in terms of security, but not exclusively. If you market a piece of open-source software to people and encourage them to use it, then yes, you *do* have a responsibility to resolve security issues as they come up, and to develop the software in such a manner that these issues are minimized — because simply put, poor security can cost actual human lives or otherwise harm other humans.

This is a responsibility that exists independently of the license that it is distributed under, and it is a responsibility that you took on when you encouraged others to use it, implicitly asking them to trust you that it’s safe to use. If you *really* do not want to take responsibility for this, then the only other realistic option is to explicitly warn your users that you don’t.