This is a copy paste of what you posted on your website and emailed us. You refuse to admit wrong doing. "These third parties are the most reliable sources of information about Sectigo certificates used for malware." is 13/60 "Generic" "ML" "Heuristic" false postives "the most reliable source of information"? Why do you ignore reading the virus total replies? Why did you not contact the anti virus companies themselves? Any software engineer with more than 2 years experience would know that "generic" "high confidence" just means a packed/obfuscated assembly and nothing else. The fact your company does not know this shows complete utter incompetence. "Furthermore, the CA/Browser Forum guidelines require such revocation within 24 hours of our becoming aware of it" 24 hours is ample time to contact the companies who bought the certificates, why did you not make any effort to do this? As part of the verification process you have our address, name, phone number, company name, company phone number, email address. You made no effort to contact us through any of these means. Why ? You have cost several companies thousands in lost income but you do nothing to rectify the situation. Companies like you are a cancer in this world, you hold us at your mercy and offer us nothing in return. Answer this, how many of the 150 companies of whose certs you revoked have you contacted? Any? Show some good will and fix this situation.

here is what I emailed them. We first contacted you on 30/5/19 via online chat and were told to expect an email We contacted you again on the 1/6/19 via online chat and were told to expect an email We contacted you again on the 7/6/19 via online chat and were told to expect an email We contacted you again via phone on 12/6/19 via phone at 2:27pm and were told to call back exactly 3 hours later We contacted you again via phone on 12/6/19 via phone at 8:17pm and were told to expect an email 20 minutes later (very specifically said 20 minutes later) We contacted you again via phone on 12/6/19 via phone at 9:15pm and were told to call back in 2 hours as the US office would be open We contacted you again via phone on 12/6/19 via phone at 11:25pm and were told the manager was in a meeting and he would call back in 30 minutes It is now 12:34am and there has been no call back. I finally got a callback at 1am Australian time where they basically said tough and they can't offer a refund as its past 30 days, they also refused to admit wrong doing despite revoking 150 certificates with no contact. They admitted that 3 other companies had theirs incorrectly revoked as well. here is the email I sent back to them: I understand being able to revoke certificates is a legitimate thing to do in many circumstances. The issue here is we are now at your mercy if you decide to revoke our certificate, a program with a revoked certificate cannot be installed or uninstalled. A program with no certificate at all is better than one with a revoked cert. Ironically our users cannot even uninstall our "malware" as the MSI installer is signed with the cert. If this was legitimate malware you have ironically made it harder to remove. The only way around this is to get administrator access to every single one of our customers machines to remove the revoked version of our software, there is a significant cost associated with doing so. So now we must weight up what the benefit of a code signing cert actually is. You can effectively block our income stream as a company at any time and tarnish our reputation online. If we don't use the cert we can simply instruct users to click "more info - install anyway" and you have no ability to block our software. Why would we even use a code signing certificate if this is the risk? Also you told me over the phone that you were given 24 hours to revoke the certificates or I assume you would be punished as a root CA. 24 hours is ample time to report this to us. We have multiple phone numbers, email addresses and contacts via our website and our customer registration. You could even automate all of this process but you did not. Why was this? How can you do something with such a big impact to a company (cut off their income stream) without even a simple automated message or email? Was there even a risk analysis done on this task? What kind of manager would approve such a risky move (you mentioned that 150 certificates were removed automatically) without some kind of contact to the end customer? You also told me that you had at least 3 complaints of companies having their certificate removed incorrectly as a result of this complete balls up. I bet if you had the decency to contact the rest of the 150 companies you would find far more. The only reason the number is so low is your support is so atrocious that no one can actually get a case escalated or raised to your level as can be seen by how many times we contacted you in different forms. Now the complete incompetence aside I have several items I want actioned. Firstly I want to ensure there is NO RECORD of us having our certificate revoked due to malware distribution. I will follow up on this in 2 weeks time, if anyone at sectigo/commodo reports that our cert was revoked due to malware we will start legal action. Certificate revokation is public knowledge, so you have publicly defamed our company by FALSELY marking us as a malware distributor as a result of this, this must be undone and rectified. Secondly I want to know who reported that our certificate had malware from virustotal, I want a contact in email form so I can follow this up to ensure that this doesn't happen again with a different company. I can only hope that other certificate issuers have a more comprehensive system in place to ensure we are warned BEFORE revoking our certificate.

This happened to us as well. We had our certificate revoked by Sectigo for a false positive. I called 6x, emailed 4x and contacted online support about 6x. It took 3 weeks for me to get through to someone and that involved staying up until 1am Australian time to contact someone on the Ontario office. They said they revoked 150 certificates without contacting any companies. So far 4 have contacted them for having a false positive. They will not offer a refund however if you push their buttons enough they will personally transfer you the balance via paypal as a "refund" but they will not admit wrong doing. They stand by the decision despite the fact the virus total report that was reported was uploaded by US OURSELVES and we even commented on it from our own account saying it was a false positive. We also sent emails from all major AV companies whitelisting us. @rastos1 Id like to contact you privately so we can organise naming and shaming Sectigo as far as we can go. They have shown complete malice and have publicly defamed our companies due to marking us malware distributors. If anyone else has had their cert revoked due to a virus total false positive please contact me and we can organise to name and shame them. I am working on having several other articles written and published about this disgusting practice.

Except that the features were enabled shortly after so the $280 is to compensate them for not having access to them for a short period of time.

If a computer can do your job then you are not doing a useful service. You need to value add and offer something a computer cannot do.

Feel free to move to the artic and use no tax payer fundes resources.

Even if this is true it doesn't prove that he was fired for reporting it. It would be very difficult to prove he was fired for any reason other than "performance reasons".

Or you know they could just simply install a speed limiter. I guess you can't profit from that then!

It is very unlikely for the wind to stop blowing across the entire country at once. By using large connected grids and diversifying the types of renewable energy you are using you can minimise the amount of storage required. Not to mention solar thermal with 100% availability is becoming very competetive to coal. Once it is cheaper your point will be moot.

These guys built one that works http://www.servalproject.org/

http://www.servalproject.org/ These guys wrote their own protocol to solve the problem you are discussing.

They started almost 10 years ago. 95% of the work is the back end. It is designed to be resilient and functional, not pretty. Considering they are funded entirely on donations it is very impressive.

Already has. You can download it now. http://www.servalproject.org/

Someone already built it and you can download it for free. It is also open source. http://www.servalproject.org/