I think it's important to differentiate between a company being liable for a flaw in their product and gross negligence on the part of the company. The recent quirk that allowed a script to be run when a user used WMP and a browser in close succesion isn't very obvious, and thus should probably be considered just a bug. I know we all hate bugs, but they are always going to exist, no matter what legislation gets passed. On the other hand, how often has Microsoft shoved a product out the door knowing that large security flaws existed, but figuring that they could fix it in a subsequent patch. And how many thousands of systems are compromised because they didn't wait that extra month to fix the obvious flaws? In my opinion, that's gross negligence and that's when a company should be punished.