Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant
Exec opens fire on reverse-engineering and more
Updated While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.
Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike from the software giant for both reverse engineers and bug bounties in a long blog post on Monday. The post was pulled on Tuesday lunchtime, but its contents remain available via the Internet Archive here.
The tone of the post as a whole is reflected in Davidson's dismissive approach to bug bounties as a waste of money, at best, and naked hostility towards any attempt to reverse engineer Oracle's code.
"Bug bounties are the new boy band (nicely alliterative, no?)," Davidson wrote. "Many companies are screaming, fainting and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87 per cent of security vulnerabilities ourselves, security researchers find about 3 per cent and the rest are found by customers."
"I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on."
This attitude is in marked contrast to the likes of Google, Microsoft and Facebook, who have all thrown their weight behind their corporate bug bounty programmes.
Davidson goes on to bemoan users looking for vulnerabilities in its code, arguing that they are breaking licensing agreements and that third-party consultants are also bound by them by extension.
It doesn't matter that criminal hackers and intel agencies do reverse engineer Oracle’s code to look for vulnerabilities, according to Oracle. Customers and their suppliers still need to toe the line, whatever their motives, and stick by licensing agreements.
"Oracle’s licence agreement exists to protect our intellectual property," Davidson wrote. "'Good motives' – and given the errata of third-party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than 'but everybody else is cheating on his or her spouse' is an acceptable excuse for violating 'forsaking all others' if you said it in front of witnesses."
Oracle's essential line is that everyone should stop reversing its code, respect its licensing agreement and trust its infosec assurance programme to fix problems that crop up rather than kicking the wheels and looking underneath the bonnet themselves.