Oracle's security chief made a big gaffe in a now-deleted blog post
Oracle removed the post, and quickly distanced itself from it."We removed the post, as it does not reflect our beliefs or our relationship with customers," wrote Edward Screven, an executive VP and Oracle's Chief Corporate Architect.
Some technology companies are grateful for the report: Microsoft, for example, runs a variety of security bug bounty programs that pay anywhere from $500 to $100,000. Many big companies would rather incentivize security experts to come to them first, giving their engineers the chance to patch things up before that hole becomes more widely known to potential attackers.Apparently, Oracle's Davidson feels differently. In her post, she suggested that doing certain types of security research violates the company's intellectual property rights.
so please do not waste our time on reporting little green men in our code." Instead, Davidson asked Oracle customers to make sure their own computing infrastructure is locked down, because Oracle can handle its end of the bargain.
If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, "static analysis of Oracle XXXXXX"), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf - reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already
If you do report a legit bug, Davidson wrote, "we may not like how it was found but we aren't going to ignore a real problem - that would be a disservice to our customers." But don't expect a bounty any kind of credit, Davidson wrote.
"We will also not provide credit in any advisories we might issue. You can't really expect us to say 'thank you for breaking the license agreement.'"The irony is that Oracle has endured a lot of security vulnerabilities over the years that were only pointed out by these independent researchers, enabling the company to fix things up. It's also at odds with Oracle's official vulnerability reporting page, which says "Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued."
Again, Oracle has since removed the post. Oracle's Screven issued the following full statement:
The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.A copy of the original post has been saved on Scribd and is embedded below:
- Dr. Reddy’s, TCS, Bandhan Bank and other stocks to watch out for on April 13
- Sushil Chandra appointed as Chief Election Commissioner with effect from April 13
- TCS has broken many records in the last three months — from revenue to new deals to new hiring
- Haryana announces night curfew from 9 pm to 5 am with effect from tonight
- Google Drive, Docs, Sheets and Slides is down for some users around the globe, including India