Oracle’s Chief security Officer Mary Ann Davidson just Made A Rookie Mistake
August 11, 2015
Oracle Chief safety Officer Mary Ann Davidson was once forced to eliminate a weblog post after she made a mistake that made her sound out of touch with the protection house. In her on-line publish, she claimed that safety researchers who level out flaws in Oracle software could also be in violation of the company’s license settlement. She stated reverse engineering shouldn’t be allowed below the corporate’s own TOS.
Oracle eliminated the put up and quickly referred to that Davidson’s view used to be her personal and now not that of the company. “We eliminated the put up, as it does now not mirror our beliefs or our relationship with consumers,” wrote Edward Screven, an executive VP and Oracle’s Chief company Architect.
Many corporations equivalent to Microsoft and fb, will actually pay researchers who report security flaws. payments for worm bounty packages in most cases range from $ 500 to $ 100,000 relying on the severity of the hack.
in the publish, Davidson wrote:
“If we determine as a part of our diagnosis that scan results may only have come from reverse engineering, we send a letter to the sinning customer, and a unique letter to the sinning advisor-appearing-on-purchaser’s behalf – reminding them of the phrases of the Oracle license settlement that prevent reverse engineering, So Please stop It Already”
In a laughable second Davidson said that Oracle is better than any researcher at spotting bugs, and that these researchers send quite a few false positives, “so please don’t waste our time on reporting little inexperienced males in our code.”
Davidson then claimed that consumers who concern about their own network security and no longer fear about Oracle.
Davidson wrote that actual worm reports is probably not unnoticed. “We may not like how it was once found however we aren’t going to ignore an actual problem – that will be a disservice to our shoppers.”
Then she turns on researchers as soon as once more, writing, “we can also now not provide credit score in any advisories we may issue. which you could’t in point of fact predict us to claim ‘thanks for breaking the license settlement.’”
For the file, Oracle can’t deal with worm fixes on its own. the company through the years has acquired lots of malicious program fixes and hack fixes from unbiased researchers.
Oracle’s official vulnerability reporting page goes towards Davidson: “Oracle’s policy is to credit all researchers within the crucial Patch replace Advisory report when a restore for the said security bug is issued.”
Oracle’s Screven issued the next full statement:
“the safety of our products and services has all the time been critically vital to Oracle. Oracle has a strong software of product safety assurance and works with 0.33 party researchers and clients to collectively ensure that functions built with Oracle expertise are stable. We eliminated the submit because it does no longer reflect our beliefs or our relationship with our customers.”
It looks like its time for a brand new CSO at Oracle.
industry & Finance Articles on business 2 neighborhood
(158)