Slashdot Mirror
Oracle Exec: Stop Sending Vulnerability Reports
florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.
CEO (on phone): Hey, I want to promote Mary Ann Davidson for her years of excellent service in our accounting department. We're going to make her CFO!
HR Director: Wow, you're making Mary Ann CSO?
CEO: Yes, CFO! Congratulate her for me.
HR Director: Are you sure, sir? I mean... Mary Ann... CSO?
CEO: Yes, of course! She'll make a great CFO!
HR Director: Do you think she's qualified to be CSO?
CEO: What do you mean? Of course she's more than qualified to be CFO!
HR Director: Wait, you're saying CSO, right?
CEO: Yeah, CFO!
HR Director: CSO?
CEO: CFO.
HR Director: CSO?
CEO: CFO!
HR Director: Okay, I think we're on the same page here.
I know many security professionals may be alarmed at this practice but i can assure you other examples exist where this tactic proves effective. For example, by ignoring or forbidding climate change discussion we actually prevent it from ever happening (clapping your hands helps too.) prior to abstinence only education, teenage pregnancy was ridiculously prevalent in the US. now that most sex-education courses in america are unstandardized and avoid covering things like condoms, birth control even simple intercourse, kids are a model of puritanical living.
im also told that the nuanced and layered complexity of immigration reform and homeless war veterans can be tackled by a large wall, and simply not looking at homeless people.
Good people go to bed earlier.
And you weren't even a customer!
Wow, Java and Oracle's DB are built on Flash, that explains much.
Sony begs to differ.
Since when does being a Socialist mean 'someone who has a different opinion than me'?
In Oracle's defense, if you're still using their cash cow database it's fair to say that it will do more financial damage to your company than most hackers could ever do.