Are you from the US? In New Zealand sueuing is mostly a foreign idea and very rarely occurs.
Occasionally criminally negligent behaviour gets spanked - but even there it's often an idiotic scapegoating farce (local examples: CTV building, fund fraud, Royal Commission of Inquiry into the terrorist attack on Christchurch masjidain).
One alternative system is government insurance against harm e.g. New Zealand has a no-fault ACC system for helping victims of industrial accidents.
OSS is infrastructure and trying to scapegoat an individual developer or company for unforeseen harm is insanity. Finger pointing and a culture of blame seem to be unproductive.
A good place to start thinking about policy would be to look at log4j. What policy would prevent that? Would a culture of victimising creators have prevented that vulnerability?
> sue the manufacturer of the hardware device [that starts a fire].
There's the implicit philosophy that we can use reductionism to find a cause.
Finding cause is getting more difficult as we complexify the world. Read reports on disasters, and then try to imagine how to prevent them? There's an almost Christian religious belief that penalising the person who makes a mistake will fix the system.
Cue blaming the pilot. We still often blame the pilot even after decades of work in aviation management to try and produce safety systems that try to apply a fix in the correct place.