[BiteCode_dev]

It's actually fantastic to receive such email. You can answer:

"We are happy to provide you with support regarding this issue for $5000/day"

Then if they accept, proceed to do nothing for 10 days, then reply you find none of your code is impacted and they are safe then bill them $50k.

[csdvrx]

> proceed to do nothing for 10 days

That would be fraud. No, start grep on the source code and a few things like that, then provide the results: "a detailed audit found no reference to log4js, so another audit was started which found no reference to any java code in the C source; it was repeated 5 times to confirm these promising results. Another audit followed the Boltzman brain hypothesis to check if the affected log4js binary code could not be spontaneously generated during compilation, by following a Monte Carlo simulation to check for various length of binary data that would match the log4j binary code. (...)

Finally, to avoid this extremely remote risk, the code changed to switch to reproducible builts, which can guarantee this will not happen"

[perihelions]

>"No, start grep on the source code"

Or print it out on hard copy, make interns read it line by line, then charge 400% of their labor as your management fee.

What's the purpose of using regexps here? You're optimizing away your own revenue!

[tremon]

There's no need to have actual interns read it, that would be unnecessarily cruel. Service fees don't need to be based on actual billable hours. You can charge 400% of the time it would take interns to read it without actually doing that, as long as your grep one-liner delivers the same value.

[lowercased]

Also charge $1/page for the printing. Then ship it to them, in triplicate, and charge for the overnight shipping (it's an urgent bug after all).

[y4mi]

Add a note that the lines at risk have been marked!

[gitfan86]

First you start with some project planning sprints. Later on you will begin the implementation of the command line module exercises.

[EvRev]

Yes, but does the other company pay for the retrospective? Or is the retro when we start to spend all the money that was billed?

[zitterbewegung]

There was a HN post about selling to the Enterprise market. Doing it the way that was described there would be. Also, to not perform a scam as other posts here would be.

1. Insist that you need to talk to upper management until you get to the CEO.

2. Once there you need to sell them on a Fixed fee contract for five engineers so let’s say $1MM or more

3. Actually create a few scripts that run the log4j scanner from Google.

4. Have an extended support contract by doing this yearly at $1MM.

[kube-system]

It's fraud to bill someone T&M for time that wasn't actually spent. You're better off quoting it fixed-fee. :)

[evan_]

Bill hourly with an 80 hour minimum. Then you can give them an invoice for 5 minutes to type the email and bill them for 80 hours.

[nsoqo]

“I had Martin explain to me three times what he got arrested for because it sounds an awful lot like what I do here every day.”

[trevormcneal]

well said, and these companies have way too many lawyers with free time to keep suing you, even if you are right and the judge solves the case in your favour, not always it is required to cover legal expenses and the amount of legal fees burned on it won't worth.

Fixed fee or monthly "support contract", with minimum of 1year.

[rdtsc]

> Then if they accept, proceed to do nothing for 10 days, then reply you find none of your code is impacted and they are safe then bill them $50k.

Hopefully you don't do that or encourage others to. Just because F500 companies are big, stupid, slow and greedy, doesn't exactly make stealing right.

[Eldt]

Yes it does.

[UI_at_80x24]

>Just because F500 companies are big, stupid, slow and greedy, doesn't exactly make stealing right.

That is precisely why it's right. These capitalists have stolen our labour, and corrupted our politics for centuries. `Stealing` it BACK is the ONLY way history has shown us works.

[thehappypm]

So this contract is the starting point for the next great Marxist revolution ?

[Grollicus]

You'd probably need all of the 10 days to fight through all of their supplier management forms, answer pointless questions about security certifications, people involved and if you do business with iran.