I was pretty disappointed after reading Mary Ann Davidson's blog
post discouraging customers from reverse engineering their software
for any reason. As CSO of Oracle, one of the largest software
providers in the world, I expected her thoughts on security
researchers and responsible disclosure to be more enlightened.
Instead I saw a glib response that echoed sentiment from the turn
of the last century.
The post has since been removed from Oracle's official blog,
which shows that while this may be their internal policy and
thinking, the company understands it isn't popular to hold such
opinions. Because nothing can be deleted from the internet, and
because of the Streisand effect, you can find an archive of her
post at seclists.org.
Security Innovation strongly stands behind our policy of
Responsible Disclosure and I've written about that before.
However, because of Davidson's stance on this subject as evidenced
by this post, we have to take a position against ever testing any
Oracle-based software, even for our customers when this may,
unfortunately, put them, and their customers at risk of inheriting
Security Researchers help to push the state of security forward.
Their research helps us understand what is possible and what is
next to arrive to the security landscape. Without Security
Researchers we may very well still be discussing if basic stack
based buffer overflows are possible like we did in '96.
Security Researchers frequently give their time and efforts away
in exchange for the knowledge that they're helping end users to
have a more secure software experience. It's not fair end users
have to worry their information may be stolen by an online hacker,
and it's not fair they have to trust their vendor to do their due
diligence in application security testing, awareness training, and
Bug bounty programs are a great way to extend an olive branch to
Security Researchers, but of course it is not the main driver for
research to take place. If you think the idea of a free t-shirt or
a few hundred dollars is the incentive for a Security Researcher to
spend their nights and weekends for three months tracking down an
elusive RCE vulnerability you'll be surprised.
Bug bounty programs are a great sign there is a caring team on
the other end of that security@ email address that wants to build
secure software, and it's reasonably likely you're not going to get
sued for your trouble.
Davidson's post discredits Security Researchers and Bug
Bounties. Her tone is antagonizing and juvenile and she misses the
point of responsible disclosure and research in general. There's a
passion in the community and a desire to help all customers and end
Being responsive to these Security Researchers when they give
you free vulnerability information is good policy and is well worth
your time. Even if it means assigning one of your own engineers to
slog through a few false positives and already known issues to
triage the findings and reach out to the researcher for
Taking Davidson's stance won't increase the number of
anonymously reported vulnerabilities and it certainly won't protect
Oracle's users from vulnerabilities. Their software will have the
same issues, Oracle and their users just won't know about them and
won't be able to protect against them. Fewer researchers will want
to spend their time finding and reporting issues to Oracle, in the
end this results in nothing but a disservice to their end
Davidson and everybody else knows that Oracle is not
unbreakable. It's time they updated their decades old thinking and
welcomed every bit of security help they can get.