Fines for companies that don't patch vulns within 90 days? This would encourage shifting left with security to make it easier to fix flaws so they don't overrun product deadlines.