A scathing and now-deleted blog entry from Oracle Chief Security Officer Mary Ann Davidson said that the company does not welcome security researchers who point out flaws in its software, and warned customers that anybody who tries to reverse-engineer Oracle code to find security vulnerabilities is “almost certainly violating [their] licence agreement.”
Oracle removed the post, and quickly distanced itself from it.
“We removed the post, as it does not reflect our beliefs or our relationship with customers,” wrote Edward Screven, an executive VP and Oracle’s Chief Corporate Architect.
It’s not uncommon for Oracle customers (or Microsoft customers or IBM customers or many others) to hire security professionals to poke and prod at the software for which they paid hundreds of thousands of dollars, reporting any vulnerabilities back to the mothership.
Some technology companies are grateful for the report: Microsoft, for example, runs a variety of security bug bounty programs that pay anywhere from $US500 to $US100,000. Many big companies would rather incentivise security experts to come to them first, giving their engineers the chance to patch things up before that hole becomes more widely known to potential attackers.
Apparently, Oracle’s Davidson feels differently. In her post, she suggested that doing certain types of security research violates the company’s intellectual property rights.
If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, “static analysis of Oracle XXXXXX”), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf — reminding them of the terms of the Oracle licence agreement that preclude reverse engineering, So Please Stop It Already
Moreover, Davidson said that Oracle is better than any researcher at spotting bugs, and that those researchers send a lot of false positives, “so please do not waste our time on reporting little green men in our code.”
Instead, Davidson asked Oracle customers to make sure their own computing infrastructure is locked down, because Oracle can handle its end of the bargain.
If you do report a legit bug, Davidson wrote, “we may not like how it was found but we aren’t going to ignore a real problem — that would be a disservice to our customers.” But don’t expect a bounty any kind of credit, Davidson wrote.
“We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the licence agreement.'”
The irony is that Oracle has endured a lot of security vulnerabilities over the years that were only pointed out by these independent researchers, enabling the company to fix things up. It’s also at odds with Oracle’s official vulnerability reporting page, which says “Oracle’s policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued.”
Again, Oracle has since removed the post. Oracle’s Screven issued the following full statement:
The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.
A copy of the original post has been saved on Scribd and is embedded below: