Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Exec: Stop Sending Vulnerability Reports

Posted by timothy on from the well-that-sends-a-message dept.

florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."

Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.

13 of 229 comments (clear)

  1. Piss off by bluefoxlucid · · Score: 4, Insightful

    We and the blackhat hacker network can find our own vulnerabilities. We will protect you on our own schedule. If you are stabbed, control the bleeding as best you can; if you are shot, try to walk it off.

    --
    Support my political activism on Patreon.
    1. Re:Piss off by Lumpy · · Score: 4, Insightful

      She should, and Oracle should stop hiring incompetent rich idiots for executive positions where they should actually know something about Security and Programming.

      This is the biggest problem, The trend over the past 15 years, Executives in many american corporations are drooling morons when it comes to knowing anything about what they are supposed to be in charge of.

      CSO should have a frigging clue.

      --
      Do not look at laser with remaining good eye.
    2. Re:Piss off by bluefoxlucid · · Score: 3, Insightful

      They don't need to know anything about security and programming; they need to know about management. Managers should come ask the technical people how this impacts their business in a practical sense, not go whining about whatever throws them into a purely-emotional fit of pearl-clutching. That's what makes a VP or CEO competent: the ability to survey their business and identify how every significant factor impacts their strategies.

      --
      Support my political activism on Patreon.
    3. Re:Piss off by garyisabusyguy · · Score: 4, Insightful

      A Business manager should be able to recognize their own company's Strengths, Weaknesses, Opportunities and Threats (SWOT)

      If they think that having customers notify them when they identify a Weakness in their product then they are missing out on an Opportunity to identify a Threat, or three of the four things that they should be doing, definitely not a Strength that will keep them in their position

      Sticking her head in the sand, so to speak, prevents her from getting her own product experts involved, improving their product, allaying the fears of their customers and holding both their competitors and the 'bad guys' at bay.

      --
      Wherever You Go, There You Are
  2. Cocaine by Alain+Williams · · Score: 3, Insightful

    I did not realise that this was available for free use to Oracle executives to help them reduce the stress induced by pesky customers who are trying to obtain a good service.

  3. Dune Messiah - crime = sin by Anonymous Coward · · Score: 3, Insightful

    The masses are so much more compliant when you convince them that crime is a sin.

    Fuck you, Oracle.

  4. Yet another reason to avoid Oracle by jimmifett · · Score: 4, Insightful

    Aside from Java (which has it's own issues), Oracle's products are imo, craptastic. Horrid UIs, constantly crashing, slow, design decisions that make no sense, not modernizing, barely follow modern standards if at all, insanely overpriced (the least of the problems).

  5. Note to self by denbesten · · Score: 4, Insightful

    If I find myself in the position to report a flaw in Oracle products, do so through a responsible disclosure site (e.g. cert.org) and request anonymity.

  6. Not entirely wrong. by Anonymous Coward · · Score: 5, Insightful

    While the tone of the piece is more than a little condescending, there's an actual issue here, and she's not wrong about it.

    Most customers would only reach out to a vendor with a bug report when they've actually found a real problem. Those bug reports are always welcome by any reputable vendor. They might be performance, or integrity bugs, or security bugs. Real bugs are good. They're welcome.

    However, there's a second category of people (and she's write that bug bounty programs have somewhat encouraged them) that are the security equivalent of script kiddies - they downloaded a "sploits!" kit off the the internet (in this case, often a combination of a decomplier and static analyzer). They don't really understand how the kit works or what it does, but ZOMG I ran it against your code and it found issues! Your software is insecure! See? It says so right here! Now pay me something for all my hard work! I may not understand exactly what it's telling me, but it's telling me you have a bug! This group of people adds very little in the way of new bug discovery (again, most of their output really is known or false positive).

    That second category of people (especially the ones who demand to be welcomed as liberating heroes) can in many cases get annoying. Because vendors really do run these kits against their code, so most of the time anything that isn't a false positive is a known issue. The back and forth with the customer really can sap time and energy (especially for customers who get strident and demand a "patch" right away or they'll go to the press and tell everyone how bad your code is).

    I don't really blame someone who works in security for feeling frustrated that this small subgroup of customers continues to flood inboxes with "bug reports" that often they themselves don't understand, and which are often not useful.

    That said, this is an absolutely idiotic tone to take in a blogpost directed at your customers. The problem can certainly be expressed in a way that doesn't sound childish, or scolding. This is a seriously dumb way for a company to semi-officially communicate with its customers.

    Disclaimer: I do not and have never worked for Oracle. I don't even particularly like Oracle after the SSO suit against Google.

    1. Re:Not entirely wrong. by Anonymous Coward · · Score: 4, Insightful

      Yes, in reading it I found there was a reasonable point in there somewhere: a giant dump from an analysis tool does not constitute a bug report. Too bad it was buried under a ton of condescension and whining about "m-m-m-muh intellectual property!!1!!"

  7. yes, stop sending reports by NostalgiaForInfinity · · Score: 4, Insightful

    Not sending reports to Oracle is a good idea: use open source alternatives and submit the reports there.

  8. Re:similar approaches have succeeded. by Coren22 · · Score: 1, Insightful

    On the other side of the spectrum, if you take guns from people who use them lawfully, it will really reduce crime!

    --
    APK likes to ask for responses to the same things over and over. Maybe he just likes the responses?
  9. Re:Account to CSO by Anonymous Coward · · Score: 0, Insightful

    Well that is how Womyn Empowerment works. Dare to report any problems, Now ?, you misogynist ?