Slashdot Mirror

← Back to Stories (view on slashdot.org)

Oracle Exec: Stop Sending Vulnerability Reports

Posted by timothy on from the well-that-sends-a-message dept.

florin writes: Oracle chief security officer Mary Ann Davidson published a most curious rant on the company's corporate blog yesterday, addressing and reprimanding some pesky customers that just will not stop bothering her. As Mary put it: "Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it." She goes on to describe how the company deals with such shameful activities, namely that "We send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf — reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already."

Later on, in a section intended to highlight how great a job Oracle itself was doing at finding vulnerabilities, the CSO accidentally revealed that customers are in fact contributing a rather significant 1 out of every 10 vulnerabilities: "Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers." Unsurprisingly, this revealing insight into the company's regard for its customers was removed later. But not before being saved for posterity.

8 of 229 comments (clear)

  1. Account to CSO by binarylarry · · Score: 4, Interesting

    It's interesting that Mary Ann Davidson was an accountant and then became the CSO at Oracle.

    --
    Mod me down, my New Earth Global Warmingist friends!
  2. Every single time by silentcoder · · Score: 4, Interesting

    ORACLE is in the news they confirm yet again that quitting was the single best career decision I ever made.
    The greatest thing about being an ex-oracle engineer is not working for Oracle anymore. I very much doubt anybody who has ever resigned from Oracle regrets it.

    Worst company I've ever had the misery to work for.

    --
    Unicode killed the ASCII-art *
  3. Oracle blog (was?) vulnerable to XSS exploit... by Anonymous Coward · · Score: 5, Interesting

    And the irony is ...

    https://twitter.com/addelindh/status/631040188010131456

  4. Re:Piss off by Penguinisto · · Score: 4, Interesting

    Well, Oracle (or a flack thereof) explained why they dumped the post (quoted in full in an update on TFA):

    "The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."

    Methinks Ms. Davidson may find herself forced into 'spending more time with her family', and updating her resumé fairly soon...

    --
    Quo usque tandem abutere, Nimbus, patientia nostra?
  5. Should be legal in Europe by gweihir · · Score: 5, Interesting

    If I remember correctly, reverse-engineering to fix bugs that prevent software from working as intended and to secure systems is always legal in Europe, no matter what the contract says. But it is nice that Oracle confirmed that they do not care about their customers at all except as cash-cows. Not that this is a surprises to anybody.

    --
    Most ACs are not even worth the keystrokes to insult them. Be generically insulted by this and ignored otherwise.
  6. Re:Piss off by Aaden42 · · Score: 5, Interesting

    This policy is long-standing. Probably over 10 years ago at this point we found and fixed a connection leak in Oracle's own JDBC driver by decompiling, fixing, and recompiling the affected class. To say they were displeased would be polite.

    It was a production-down issue, we fixed it after their support flailed on it for several days, and they still had the nerve to send us a nastygram for it.

  7. Re:Piss off- text of her blog which was taken down by dbIII · · Score: 3, Interesting

    It seems like much of her frustration is from people blindly running static analysis tools on their code, finding false-positive vulns,

    She's not happy about the true positives either - don't look at our stuff if it bugs out is the message she is sending here.

    If the vendors I buy stupidly expensive stuff from starting acting that way I would inform them where they could put their lawyers and go looking for another vendor. I've had to reverse engineer some buggy commercial software on several occasions to find workarounds so that users can get stuff done, and have informed the vendor, who then informed their other customers (known problems list), fixed it or both.

  8. Re:Piss off- text of her blog which was taken down by rastos1 · · Score: 3, Interesting

    That actually sounds pretty sensible.

    No, it does not. A question "What does Oracle do if there is an actual security vulnerability?" is answered with "you found this because you reverse-engineered our code". That does not have to be true. On the other hand if I perform operation X and the product crashes, then they won't accept a submission unless you "provide a test case to verify that the alleged vulnerability is exploitable"

    I read that clearly as "we do not want you to report any problems" and that makes their vulnerability reporting system just a PR thing.