Compulsory bug bounties?

Compulsory bug bounties?  This is an interesting idea with the objective of fixing a problem that Bruce Schneier has often referenced: the need to make software companies (financially) liable for the security bugs in their products.  That's the only way to get software companies to prioritize fixing those bugs.  The pricing would need to be worked out in such a way that it was simultaneously effective – but not inhibitory – for both large, mature companies and for startups.  Here's the original paper looking at the idea.