<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
<meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
</head>
<body bgcolor="#ffffff" text="#000000">
secure poon wrote:
<blockquote
cite="mid:61f54f4f0706251318k77cea16ex19d9fe4cf9ecb3ac@mail.gmail.com"
type="cite">
<div><strong>Proposition</strong></div>
<div> </div>
<div>Microsoft is a 280+ billion dollar corporation. Why don't/can't
they have a standard ransom fee for security flaws? </div>
<div> </div>
<div>0day Remote OS flaw: $1,000,000</div>
<div>0day IE explorer flaws that give administrative shells: $200,000</div>
<div>0day (other flaws) that affect other products (ie office):
$200,000</div>
<div>etc..(these fees could be much higher)</div>
<div> </div>
<div>Provided the person who discovered the vulnerability gives a
full working patch, Then Microsoft could patch the hole right away and
people could update. (yes i know lots of people don't update but at
least it is a start, and then legally they would be so liable). Maybe
this concept isint new and I am just in the dark about it.
</div>
<div> </div>
<div><strong>Question</strong></div>
<div><strong></strong> </div>
<div>Why does'nt Microsoft (or any company) do this? And also has
Microsoft ever been held criminaly liable for negligence in a criminal
case for not patching a flaw leading to a security breach? Or is there
team of lawyers just to much for any normal person? </div>
</blockquote>
All I can say is AMEN. Having to sell to TPs, iDefs, and Nation States
is so much more painful.<br>
<br>
Jared :)
</body>
</html>