In particular, I would require that sellers wishing to disclaim liability grant freedoms 0, 1 and 3, where the only way to exercise freedom 3 is to provide patches against the vendor source.

Thus, I can examine the source for vulnerabilities; I can fix them for myself (and run the fixed version); finally, I can publish my fixes for the benefit of other customers, or I can offer to sell my fixes to the vendor and other customers.