Oracle responded to criticism from independent vulnerability researchers after it came under fire for its security practices.
In a company blog, a security manager in Oracle’s global technology business unit insisted the company would not allow external perceptions to drive its security policies.
The row exacerbated the long-standing tension between software vendors and independent vulnerability researchers who find security holes in vendors’ products.
In the blog, Eric Maurice reiterated Oracle’s commitment to strong security practices and said it would continue to prioritise vulnerabilities based on their criticality and not on who discovered them. Maurice also criticised security researchers who disclose zero-day bugs before fixes for them are available, saying they needlessly exposed customers to risk of attack.
The blog post was in apparent response to a string of articles, including one that claimed that Oracle’s database products have had far more vulnerabilities than Microsoft’s SQL Server software over the past six years.
I think Oracle has a point here. Many of these so-called vulnerabilities are revealed with unabashed glee by researchers, with little or no thought to the subsequent threat to users’ security. Microsoft has had similar complaints in the past. It is perhaps no surprise that vendors treat these vulnerability researchers with the contempt that some - though not all - deserve.
Comment on this article: firstname.lastname@example.org