Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle's Chief Security Officer Speaks Out

Posted by Zonk on from the talking-the-talk dept.

s0u1d13r writes "ZDNet Australia posted a special article from Oracle's CSO regarding the treatment and publishing of exploits and vulnerabilities by security researchers. From the article: 'There's a myth about security researchers that goes like this: Vendors are made up of indifferent slugs who wouldn't fix security vulnerabilities quickly -- if at all -- if it weren't for noble security researchers using the threat of public disclosure to force them to act.' An interesting read from the perspective of one of the largest software vendors accused of ignoring vulnerabilities by software researchers."

1 of 112 comments (clear)

  1. Re:But that's true, at least for extensive vulns by gclef · · Score: 5, Informative

    The problem is, a few of the recently-released ones had lag times measured in *years*. Oracle can whine all they like about unrealistic deadlines from researchers, but a few years is far too long to sit on something.

    My reference for the years comment:
    http://www.red-database-security.com/advisory/publ ished_alerts.html

    They waited over 600 days for Oracle to patch some vulns. There's no excuse for that.