Oracle has distanced itself from a corporate blog post published by chief security officer Mary Ann Davidson that ranted against security researchers, bug bounties and third parties that reverse engineer Oracle code to find security vulnerabilities.
The blog, which has been mirrored on multiple websites after being removed by Oracle, featured a scathing attack on researchers who send in warnings of potential security vulnerabilities.
"Please do not waste our time on reporting little green men in our code. I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying and mutually-time wasting exercise," said Davidson in the original post.
Despite initially refusing to comment on the situation, a clarification finally came from Edward Screven, executive vice president and chief corporate architect at Oracle.
"We removed the post as it does not reflect our beliefs or our relationship with our customers," he said.
"Oracle has a robust programme of product security assurance and works with third-party researchers and customers to jointly ensure that applications built with Oracle technology are secure."
The tone of the original blog post took many in the security industry by surprise.
Alexander Polyakov, who has worked with Oracle in the past and is currently CTO of security firm ERPScan, published a blog post speaking out against Davidson's position.
"On the one hand, I can agree with the fact that it is a vendor's responsibility and we should not try to help them if they don't want it, but it's not so easy," he said.
"Oracle applications are used in many mission-critical systems. If we identify some issues what can we do to help our customers and Oracle customers? We need to make recommendations to fix it, but if it is a zero-day there is no way to fix it and we need to contact a vendor to help it with fixing this issue."
However, Davidson said in her original post that anyone who reverse engineers software code is breaking the licence terms.
"Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why I've been writing a lot of letters to customers that start with 'hi, howzit, aloha' but end with 'please comply with your licence agreement and stop reverse engineering our code, already'," wrote Davidson.
Davidson said that if a "sinning customer" goes against the product licence agreement in an attempt to reveal a security flaw they will be met with a legal response.
"If we determine as part of our analysis that scan results could only have come from reverse engineering we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer's behalf reminding them of the terms of the Oracle licence agreement that preclude reverse engineering, so please stop it already," she wrote.
Again focusing on reverse engineering, Davidson said that even if a researcher discovers a legitimate concern it doesn't justify the action.
"Just like you can't break into a house because someone left a window or door unlocked. I'd like to tell you that we run every tool ever developed against every line of code we ever wrote, but that's not true," the post continued.
Davidson also attacked bug bounties, the process of offering a reward for the discovery of security vulnerabilities, describing them as "the new boy band".
"Many companies are screaming, fainting and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn't secure. Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about three percent and the rest are found by customers," she wrote.
Bounties are used by major technology firms including Facebook, Google, Yahoo and Microsoft. Most recently, Microsoft raised its bounty to up to £65,000 after the release of Windows 10.
Despite Davidson's resolute security position, Oracle recently announced 193 critical security fixes, including 25 for Java, 23 of which were thought to be remotely exploitable.
Meanwhile, security experts on Twitter have been outspoken about the removal of the Oracle blog and have started to mirror the original version.
Oracle *really* hates both reverse engineers and bug bounties: https://t.co/46UhuUtqmk PS. Yes, this is the company behind Java.— Mikko Hypponen (@mikko) August 11, 2015
So was that oracle blog post authentic or did some people at defcon decide it would be funny to write a MAD satire?— Stefan Esser (@i0n1c) August 11, 2015
An archived version of *that* Oracle blog post (now deleted from their site) without the irritating cookie popup: https://t.co/e97aY009FC— Graham Cluley (@gcluley) August 11, 2015
Chris Wysopal, chief technology officer of Veracode, said that Oracle's stance is backwards looking and ignored the realities of modern security standards.
"Discouraging customers from reporting vulnerabilities or telling them they are violating licence agreements by reverse engineering code is an attempt to turn back the progress made to improve software security,” he said.
Insecticides based on sulfoxaflor might be as bad for bees as neonicotinoids
Intel teases forthcoming new graphics card accompanied by the text "We will set our graphics free"
Think your password manager is completely secure? Think again...
ARM plans 7nm 'Deimos' for 2019 and 5nm and 7nm 'Hercules' for 2020