Hi Steve,

I agree that some companies need a kick in the pants to get security fixes out. The hammer of full public disclosure of the threat could be that kick. Or we could force companies (um, the SEC could I suppose) to disclosure statistics on handling security threats. I think this would benefit everyone - granted it probably means more "paperwork" for someone like me.

I haven't thought through exactly how this would work. Or maybe we could do a rating system, think Moody's or Morningstar, for companies that maps to their handling of security threats. Would you want to do business with a company that receives a D? How about a C. This could reduce some of the spin we get from software companies on their responsiveness.

Just thinking aloud on this Wednesday morning.

Dan