Oracle CSO blasted over anti-security research rant

Software giant Oracle has come under fire from the infosec industry after an ill-advised blog post by its chief security officer warned that customers who reverse-engineer Oracle code to find security vulnerabilities were violating their licence agreement.

In the now-deleted blog post (reproduced here), Oracle CSO Mary Ann Davidson said the company did not welcome security researchers who highlighted flaws in its software. She said it was Oracle's job to look for security vulnerabilities and "we are pretty good at it".

Additionally, Davidson warned that certain types of security research on Oracle products violated the company's intellectual property rights.

She said the company regularly sends letters to customers and third-party consultants who perform security tests on Oracle's code over claimed violation of their end user licencing agreements.

"If we determine as part of our analysis that scan results could only have come from reverse engineering .. we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf — reminding them of the terms of the Oracle licence agreement that preclude reverse engineering, So Please Stop It Already," she wrote.

Oracle is more adept at finding security bugs than researchers, who send a lot of false positives, she said. Davidson asked that customers and researchers "please do not waste our time on reporting little green men in our code."

She said Oracle customers should instead focus on making sure their own infrastructure is secure.

For those who report legitimate bugs, she said, while Oracle may not like how a flaw was found, it wouldn't "ignore a real problem".

But don't expect a bug bounty or any kind of reward, Davidson wrote.

“We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the licence agreement'," she said.

"Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure.

"Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about 3 percent and the rest are found by customers."

Security experts lash out

Oracle has since removed the post and distanced itself from it.

“The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure," Oracle chief corporate architect Edward Screven said in a statement.

"We removed the post as it does not reflect our beliefs or our relationship with our customers."

"How dare customers try to find an exploitable vulnerability in Oracle software before an attacker does! The horror!" IBRS infosec analyst James Turner tweeted.

"Oracle *really* hates both reverse engineers and bug bounties. PS. Yes, this is the company behind Java," chief researcher at F-Secure Mykko Hypponen said.

"So was that Oracle blog post authentic or did some people at Defcon decide it would be funny to write a MAD satire?" security researcher Stefan Esser said.

Customers of large software vendors such as Oracle, Microsoft, IBM and others regularly test their products for vulnerabilities and report any holes back to the vendor.

Some - such as Microsoft and Google - incentivise customers to discover security issues through bug bounties in at attempt to make sure they can patch any flaw before it lands in the hands of an attacker.