Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oracle CSO to customers: We don't need your (false positive) bug reports

Tim Greene | Aug. 12, 2015
Oracle's CSO thinks customers who reverse-engineer its code in attempts to find bugs should cut it out because they're not finding much worth acting on and, more importantly, they're violating their licensing agreements.

maryanndavidson
Mary Ann Davidson

Oracle's CSO thinks customers who reverse-engineer its code in attempts to find bugs should cut it out because they're not finding much worth acting on and, more importantly, they're violating their licensing agreements.

The condescending tone of the blog that sets down her objections rankled readers and presumably customers so much so that Oracle took it down, but not before it was cached.

One excerpt from CSO Mary Ann Davidson's blog: "Now is a good time to reiterate that I'm not beating people up over this merely because of the license agreement. More like, "I do not need you to analyze the code since we already do that, it's our job to do that, we are pretty good at it, we can unlike a third party or a tool actually analyze the code to determine what's happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code." I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise."

The flap over the blog prompted this explanation from the company: "We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed the IDG News Service Tuesday.

Davidson has a point. Customers' licensing agreements do say they aren't allowed to mess with the code, which is apparently what they do in order to come up with some of the bugs they say they've found.

Davidson says a lot of them aren't actually bugs, and that the customers who send them in as such just don't understand what bugs are. And the issues customers report can be hundreds of pages long and take too much time to check out.

Which all may be true, but it's not a very slick way to deal with customers and generate goodwill. Better to stick to the path she'd been following, which is to send letters reminding customers when they violate the agreements telling them to stop privately.

One troubling aspect of Davidson's rant was this statistic: "Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers." So that means 10% of vulnerabilities worth acting on are discovered by customers, the ones she's telling to stop looking for bugs. Apparently she's willing to let that 10% go undiscovered in the name of upholding the licensing agreement.

 

1  2  Next Page 

Sign up for MIS Asia eNewsletters.