Oracle Chief Security Officer Mary Ann Davidson was forced to remove a blog post after she made a mistake that made her sound out of touch with the security space. In her online post, she claimed that security researchers who point out flaws in Oracle software may be in violation of the company’s license agreement. She said reverse engineering is not allowed under the company’s own TOS.
Oracle removed the post and quickly noted that Davidson’s view was her own and not that of the company.
“We removed the post, as it does not reflect our beliefs or our relationship with customers,” wrote Edward Screven, an executive VP and Oracle’s Chief Corporate Architect.
Many companies such as Microsoft and Facebook, will actually pay researchers who report security flaws. Payments for bug bounty programs typically range from $500 to $100,000 depending on the severity of the hack.
In the post, Davidson wrote:
“If we determine as part of our analysis that scan results could only have come from reverse engineering, we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf – reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already”
In a laughable moment Davidson said that Oracle is better than any researcher at spotting bugs, and that those researchers send a lot of false positives, “so please do not waste our time on reporting little green men in our code.”
Davidson then claimed that customers who worry about their own network security and not worry about Oracle.
Davidson wrote that real bug reports will not be ignored. “We may not like how it was found but we aren’t going to ignore a real problem – that would be a disservice to our customers.”
Then she turns on researchers once again, writing, “We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.'”
For the record, Oracle can’t handle bug fixes on its own. The company over the years has received thousands of bug fixes and hack fixes from independent researchers.
Oracle’s official vulnerability reporting page goes against Davidson: “Oracle’s policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued.”
Oracle’s Screven issued the following full statement:
“The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”
It looks like its time for a new CSO at Oracle.