Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Zero-Day Flaw Project Cancelled

Posted by ScuttleMonkey on from the patches-not-so-welcome dept.

Benny Folds writes "Cesar Cerrudo of Argeniss has suddenly cancelled plans to release daily zero-day flaws in Oracle databases during the first week in December. Just days before the project was due to start, Cerrudo announced that 'due to many problems,' the WoODB (Week of Oracle Database Bugs) is being scrapped. He did not elaborate on the reasons for the cancellation."

6 of 61 comments (clear)

  1. Re:LOL by Josh+Lindenmuth · · Score: 3, Insightful

    Seems like this was his plan from the beginning. I can't imagine he would risk his clients' security by releasing all these bugs ... he already got tons of publicity from /. and elsewhere.

    --
    Huh? Don't mind me, I'm just the new guy.
  2. Re:LOL by Anonymous Coward · · Score: 2, Insightful
    I can't imagine he would risk his clients' security by releasing all these bugs ...

    It may surprise you to learn that some of us pay security consultancies to find bugs in software we use. I don't really care if they then spray them all over milw0rm or keep them quiet for use in their next pen-test; I can make an informed decision on whether to use it, and if so, what sort of controls to include to cover the risk.

  3. Two words.... by 8127972 · · Score: 2, Insightful

    ..... Lawsuit threat

    --
    This is my opinion. To make sure you don't steal it, it's covered by the DMCA.
  4. Re:LOL by rs232 · · Score: 2, Insightful

    1. Start a security consulting firm
    2. Request 0 day vulnerabilities from everyone for an event
    3. Get threatened with litigation
    4. Cancel Event

    "[We] do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing "zero day" exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack ", Eric Maurice

    "Oracle might have caught a break with Cerrudo but the upcoming release of a hacking handbook by database security guru David Litchfield .. titled The Oracle Hacker's Handbook .. promises an in depth examination of all the techniques and tools that hackers use to break into Oracle database servers"

    --
    davecb5620@gmail.com
  5. Oracle by RAMMS+EIN · · Score: 4, Insightful

    Consider the hostile position Oracle takes when it comes to publishing benchmark results, I would not at all be surprised if they had an even more hostile position regarding publishing vulnerabilities.

    --
    Please correct me if I got my facts wrong.
  6. Unbreakable when in court by Anonymous Coward · · Score: 2, Insightful

    This is obviously due to legal threats from Oracle towards Cerrudo.

    It's not as if database hacking isn't still the easiest way to compromise a server.
    The DBA's are angry about 0-day exploits being released as they don't want to do what they are payed for: Keep the server current.
    Oracle is angry because it makes them look worse as their competition, which is maybe even true. Hey... the database is vastly known for its complexity and we techies all know how much security and complexity like one another.
    Finding 7 non exposed oracle security bugs is not even a challenge!

    --
    Wil