Petronella Blog Archive

Visit our New Blog

You Can't: Oracle's Misplaced Rant

Blog Post

Oracle's CSO recently posted a blog piece berating people for finding and reporting bugs in their code.  It was subsequently removed, but not before it was cached, giving plenty of people to voice their opinions on the matter.

The post, by Oracle CSO Mary Ann Davidson, was titled "No, You Really Can't" and you can read it in its entirety here.  To sum it up though, Davidson says that Oracle doesn't need help finding bugs in their software, and anyway it's a violation of their license to reverse-engineer their products to find bugs anyway.

Yeah, because the bad guys who exploit Java and the like care about that.

Davidson went on to say that part of the problem is that users and hobbyists submit all kind of issues, some of which are not actually issues, and that going through hundreds of pages of code to check such submissions is a waste of time for Oracle, who has people they pay to do that anyway.

Davidson also broke down the percentages of people who find the security vulnerabilities.  87%, she says, are discovered by Oracle, 33% by security researchers and the rest by customers.  The rest being, if my math holds, 10%.  10% is a decent-sized chunk of hacker-exploitable area to cover.  

She also apparently isn't a big fan of bug bounties, where companies pay programmers, researchers and others for reporting bugs they've found.  Google does it, and it's pretty popular.  It's also a good way to get people who could exploit vulnerabilities in your systems to help you with it instead of exploiting it themselves.

Plenty of programmers were a bit put off by Davidson's blog article.  It wasn't just the message, but the tone in which it was delivered as well.  After unpublishing it, Oracle released a statement saying that it did "not reflect our beliefs or our relationship with our customers."