Oracle responds to security snipes


Oracle responds to security snipes

Oracle responded to criticism from independent vulnerability researchers after it came under fire for its security practices.

In a company blog, a security manager in Oracle’s global technology business unit insisted the company would not allow external perceptions to drive its security policies.

The row exacerbated the long-standing tension between software vendors and independent vulnerability researchers who find security holes in vendors’ products.

In the blog, Eric Maurice reiterated Oracle’s commitment to strong security practices and said it would continue to prioritise vulnerabilities based on their criticality and not on who discovered them. Maurice also criticised security researchers who disclose zero-day bugs before fixes for them are available, saying they needlessly exposed customers to risk of attack.

The blog post was in apparent response to a string of articles, including one that claimed that Oracle’s database products have had far more vulnerabilities than Microsoft’s SQL Server software over the past six years.

I think Oracle has a point here. Many of these so-called vulnerabilities are revealed with unabashed glee by researchers, with little or no thought to the subsequent threat to users’ security. Microsoft has had similar complaints in the past. It is perhaps no surprise that vendors treat these vulnerability researchers with the contempt that some - though not all - deserve.

Comment on this article:

Email Alerts

Register now to receive IT-related news, guides and more, delivered to your inbox.
By submitting your personal information, you agree to receive emails regarding relevant products and special offers from TechTarget and its partners. You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

COMMENTS powered by Disqus  //  Commenting policy