| ▲ | ExoticPearTree 5 days ago | |
Most likely yes. There are a lot enterprises out there that only trust paid subscriptions. Paying for something “secure” comes with the benefit of risk mitigation - we paid X to give us a secure version of Y, hence its not our fault “bad thing” happenned. | ||
| ▲ | MrDarcy 5 days ago | parent | next [-] | |
Counterpoint: most likely no, it really is about all the downstream impacts of critical and high findings in scanners. The risk of failing a soc2 audit for example. Once that risk is removed then the value prop is also removed. | ||
| ▲ | red-iron-pine 4 days ago | parent | prev | next [-] | |
F500s trust the paid subscriptions because it means you can escalate the issue -- you're now a paying client so you get support if/when things explode -- and that also gives you a lever to shift blame or ensure compliance. I recall being an infra lead at an Big Company that you've heard of and having to spend a month working with procurement to get like 6 Mirantis / Docker licenses to do a CCPA compliance project. | ||
| ▲ | staticassertion 4 days ago | parent | prev [-] | |
I don't think this is the case here. The reason you want to lower your CVEs is to say "we're compliant" or "it's not our fault a bad thing happened, we use hardened images". Paying doesn't really change that - your SOC2 doesn't ask how much you spent, it asks what your patching policy is. This makes that checkbox free. | ||