Oracle has a love-hate relationship with security researchers. Actually, mostly hate. Given that Oracle finds enough of it’s own bugs – it released 193 patches in it’s July patch fest – maybe it doesn’t want people to find any more bugs.
This all started when Oracle Chief Security Officer Mary Ann Davidson wrote a rather long winded rant on her company blog saying that people should stop reverse engineering Oracle’s code because it is a violation of the license agreement and you never find anything worth while – just waste our time.
While the company has axed her blog post, the Internet never forgets, so her post is still available on the Internet Archive.
While she does make some good points, the bad will from the tone of the post way over shadows it.
What she could have said in a lot less words is:
1. The first thing you should do is make sure that the software is configured in the most secure manner reasonable for what your business needs to do.
2. Make sure that you are running the current release and have installed all the patches (it is amazing how many Oracle customers fail this test).
3. Use the tools that Oracle provides to make sure you are not missing any secure configuration issues.
4. Don’t bother to run a static or dynamic code analyzer against our software because 99+% of what they will report are false positives and it takes way too much time to sort out the 1 potentially valid issue out of the 1,000 false ones.
And a note to Ms. Davidson: don’t worry about the reverse engineering of Oracle’s code that some analysis tools do because it is a violation of the license agreement. Anyone who wants to steal your code will ignore the license agreement anyway, so what good do you do by beating up the customers that pay your salary?
She also said that Oracle would not give credit to researchers who find security holes. What that statement does is cause researchers to publish exploits first. As an example, we see a lot of that at BlackHat and Usenix Security for just that reason. The media will give them credit. Then Oracle has to figure out how to do damage control. Not a great move.
There. I think I did that in a lot less words and likely annoyed a whole lot less Oracle customers in the process.
Hopefully, someone took Ms. Davidson to the break room and explained corporate branding 101 to her. If not, the media certainly has.
That being said, as you consider a vendor, covertly assessing that vendor’s posture with respect to security researchers might be useful. The good vendors embrace the reputable researchers because they often find stuff that the vendors don’t find and you don’t have to pay them. Even if you have a bug bounty program, you only pay them if they find something you have not found. More, it is about attitude.
Information for this post came from Wired.