Pretty much any four-letter .com domain (even gibberish) would sell for upwards of a million dollars these days, too. $1.7 million for a recognizable four-letter domain is if anything substantially lowballing it.
The whole affair seems bordering on blackmail: “pay me, MS, or your customers will get hacked”.
If you were truly concerned about security, you’d have just transferred the domain over. If you want to make a good profit off of that, though, please—don’t make a theater.
If you are both genuinely concerned about security but also desperately need money, what you would effectively end up doing is a reverse auction—start high and go lower until the one buyer you want agrees.
Giving security flaws the publicity they deserve: I’m most unreservedly in favor.
Using publicity to hold someone hostage in order to extract money while hiding behind security concern claims: not a good image.
If I were in a situation where I have nothing to eat and urgently need to liquidate such a domain, I would raise awareness publicly but negotiate in private. If I were relatively well-off, I would arrange a pro-bono handover, publicly or privately, and of course try to raise awareness anyway.
To make matters worse, the sale appears to be handled via an auction. The wide publicity given to the event via Brian Krebs’s website must have attracted attention of a wide range of players, motives unknown. For a reputable corporation to find itself bidding against a theoretical Bitcoin millionaire blackhat is far from desirable on a couple levels (I doubt auction’s KYC can really prevent that, but if it is strict enough then I take back this particular concern).
Thus, the situation as it is just seems to smell to me, though I’m not entirely ruling out good faith with unfortunate execution.
That’s a bizarre claim. Maybe you should read up on previous high value domain name sales before making such statements.
The asking price is perfectly reasonable even if you disregard all the “scamming opportunities”.