Oracle CSO to customers: we don't need your (false positive) bug reports

Oracle's CSO thinks customers who reverse-engineer its code in attempts to find bugs should cut it out because they're not finding much worth acting on and, more importantly, they're violating their licensing agreements.

Oracle's CSO thinks customers who reverse-engineer its code in attempts to find bugs should cut it out because they're not finding much worth acting on and, more importantly, they're violating their licensing agreements.

The condescending tone of the blog that sets down her objections rankled readers and presumably customers so much so that Oracle took it down, but not before it was cached.

One excerpt from CSO Mary Ann Davidson's blog: "Now is a good time to reiterate that I'm not beating people up over this merely because of the license agreement. More like, "I do not need you to analyze the code since we already do that, it's our job to do that, we are pretty good at it, we can unlike a third party or a tool actually analyze the code to determine what's happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code." I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise."

The flap over the blog prompted this explanation from the company: "We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed the IDG News Service Tuesday.

Davidson has a point. Customers' licensing agreements do say they aren't allowed to mess with the code, which is apparently what they do in order to come up with some of the bugs they say they've found.

Davidson says a lot of them aren't actually bugs, and that the customers who send them in as such just don't understand what bugs are. And the issues customers report can be hundreds of pages long and take too much time to check out.

Which all may be true, but it's not a very slick way to deal with customers and generate goodwill. Better to stick to the path she'd been following, which is to send letters reminding customers when they violate the agreements telling them to stop privately.

One troubling aspect of Davidson's rant was this statistic: "Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers." So that means 10% of vulnerabilities worth acting on are discovered by customers, the ones she's telling to stop looking for bugs. Apparently she's willing to let that 10% go undiscovered in the name of upholding the licensing agreement.

She's not big on bug bounties, either, a method many software vendors employ to find and then correct flaws with their software. "Bug bounties are the new boy band (nicely alliterative, no?)," she writes. "Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn't secure."

She doesn't at all address the issue of software liability, something that lurks behind her customers' unacceptable behavior. It's an issue that comes up more and more among independent software security researchers the white-hat hackers. At the Black Hat conference last week its founder, Jeff Moss, remarks mentioned Oracle in particular as a software vendor that currently doesn't need to buy liability insurance like airplane manufacturers do just in case their products fail.

Now, their license disclaimers and those of other software vendors in general state that they don't guarantee much at all about the quality of their products, he says. But that should change, Moss says, in order to light a fire under software vendors to write more secure code.

Security expert Bruce Schneier, speaking at last week's DEF CON, also called for software liability. He says he realizes that making software live up to a liability standard would mean higher prices. "The cost would be passed on to us be at least we'd get better security for it," he says.

Davidson had a bad day, for sure, when she wrote that blog, but by blaming customers for violating licenses and ignoring why they do, she also ignores that her customers' behavior signals that they want Oracle to do better.

Join the CSO newsletter!

Error: Please check your email address.

Tags Rlgsecurityapplication securityAccess control and authenticationCSOOracle

More about CSOCustomersIDGNewsOracle

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Tim Greene

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts