Oracle Does Damage Control on Blog Dissing Third Party Bug Researchers
Oracle recently posted a blog dissing third party security bug researchers, and then quickly deleted it.
Mary Ann Davidson, Oracle chief security officer, claimed in a blog post that the company does not welcome security researchers who point out its software flaws, reported Business Insider. The blog also warned customers not to reverse engineer Oracle code to find security vulnerabilities. Doing so, she wrote, violates the licensing agreement.
Oracle quickly removed the blog and distanced itself from Davidson’s remarks.
“We removed the post, as it does not reflect our beliefs or our relationship with customers,” Edward Screven, an executive vice president and chief corporate architect, said in a statement.
Static Analysis Reports Increase
Davidson’s post came in response to a growing number of static analysis reports being submitted by Oracle customers, according to Joab Jackson, writing in Computerworld. Static analysis refers to inspecting the object code, or source code, to find vulnerabilities in a program. Davidson said such tests are rarely necessary and often point to flaws that don’t exist, Jackson noted.
Software customers often hire security professionals to examine products for which they spend hundreds of thousands of dollars. The customers then report vulnerabilities they find to the manufacturer.
Some technology companies welcome these reports, Business Insider reported. Microsoft, for one, offers bounty programs paying $500 to $100,000 for finding security bugs. Such companies see a value in incentivizing security experts to report issues first, giving them a chance to fix issues before they become known to potential attackers.
Davidson: Probes Violate Intellectual Property Rights
Davidson, in contrast, indicated in her post that certain security research violates Oracle’s intellectual property rights.
Davidson wrote that if Oracle determines that scan results could only come from reverse engineering, they send a letter to the “sinning customer,” and a different letter to the “sinning consultant-acting-on-customer’s behalf.” The Oracle licensing agreement precludes reverse engineering, she added.
So Please Stop It Already.
Davidson further said the company is better than any researcher at spotting issues. Researchers, she claimed, send a lot of “false positives.” She referred to these researchers as “little green men in our code.”
If a customer reports a legitimate bug, she noted, the company may not like how the customer found it but will not ignore the problem.
She said the company will not provide credit to people pointing out bugs in any advisories.
Oracle Has Benefited From Third Party Security Probes
The irony of this situation, according to Business Insider, is that Oracle has ensured security vulnerabilities in the past that were pointed out by independent researchers. Oracle’s official reporting page states the policy is to credit researchers in the “Critical Patch Update Advisory” document when issuing a repaired security bug.
Oracle’s Screven issued a statement noting that security products and services are critically important to the company. He said the company works with third party researchers and customers to assure applications built with Oracle technology are secure. “We removed the post as it does not reflect our beliefs or our relationship with our customers.”
Many security firms were not happy with the blog post, Computerworld’s Jackson noted.
Chris Wysopal, Veracode chief technology officer and chief information security officer, said discouraging customers from reporting vulnerabilities is an attempt to undermine progress in improving software security, Computerworld reported. Telling customers they are violating license agreements by reverse engineering code is also undermining progress, according to Wysopal.
Images from Oracle and Katherine Welles / Shutterstock.