Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant

Exec opens fire on reverse-engineering and more


Oracle has a long and fractious relationship with security researchers.

Some of this animus can be traced back to Oracle's hubristic claims that its database software was "Unbreakable" in a high-profile marketing campaign. David Litchfield, the Scottish security researcher who did more than anyone to deflate these claims back in 2002, reckons that Oracle's current stance is chiefly an attempt to discourage corporate customers from using third-party app security tools. Litchfield explained: "It's directed at ‪@Veracode‬ and their customers that use it on Oracle code. Besides, you don't need to RE [reverse engineer] to find bugs in Oracle :)"

Davidson's post and arguments were not well received among security types more generally.

"Oracle's legal threats for security researchers who 'reverse engineer' their products is just part of a larger war on researchers," said infosec researcher Rob Graham, the developer who created the BlackICE intrusion prevention tool.

‪"Oracle‬ cares more about protecting its intellectual property than their customers," added Brian Honan, the independent security consultant who runs Ireland's CERT – a sentiment echoed by other infosec experts.

Rather than shooting the messenger (the fate of bearers of bad news in Ancient Greece), Oracle is advocating "suing the messenger", according to some.

Per Thorsheim, founder of the PasswordsCon, noted sarcastically "Luckily Oracle software is Unbreakable. ;-)

A few (very much the minority) expressed sympathy towards Oracle.

"If you don't sympathize with the CSO of Oracle you have never had someone give you a Nessus report and tell you to fix everything in it," said Jerry Gamblin.

Others argued Oracle needed to rethink its security policy, as Microsoft did a decade ago starting with Bill Gates' Trustworthy Computing memo of 2002.

"I hope Oracle will soon issue a Microsoft-style Trustworthy Computing memo," said Jeremiah Grossman, founder and CTO of WhiteHat Security."Their software is too important for the current policy to stand." ®


Is Davidson's blog post, entitled 'No, 'You Really Can’t', a tribute to fictional New Labour spin doctor Malcolm Tucker?

The opinions expressed are so forceful that some Reg staffers as well as a few infosec experts originally thought the blog post was part of an elaborate hack.

Updated to add

"The security of our products and services has always been critically important to Oracle," the company's Edward Screven, executive vice-president and chief corporate architect, insisted to El Reg in a statement.

"Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."

Similar topics

Broader topics

Other stories you might like

Biting the hand that feeds IT © 1998–2022