Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

Oracle CSO to customers: We don't need your (false positive) bug reports

Tim Greene | Aug. 12, 2015
Oracle's CSO thinks customers who reverse-engineer its code in attempts to find bugs should cut it out because they're not finding much worth acting on and, more importantly, they're violating their licensing agreements.

She's not big on bug bounties, either, a method many software vendors employ to find and then correct flaws with their software. "Bug bounties are the new boy band (nicely alliterative, no?)," she writes. "Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn't secure."

She doesn't at all address the issue of software liability, something that lurks behind her customers' unacceptable behavior. It's an issue that comes up more and more among independent software security researchers the white-hat hackers. At the Black Hat conference last week its founder, Jeff Moss, remarks mentioned Oracle in particular as a software vendor that currently doesn't need to buy liability insurance like airplane manufacturers do just in case their products fail.

Now, their license disclaimers and those of other software vendors in general state that they don't guarantee much at all about the quality of their products, he says. But that should change, Moss says, in order to light a fire under software vendors to write more secure code.

Security expert Bruce Schneier, speaking at last week's DEF CON, also called for software liability. He says he realizes that making software live up to a liability standard would mean higher prices. "The cost would be passed on to us be at least we'd get better security for it," he says.

Davidson had a bad day, for sure, when she wrote that blog, but by blaming customers for violating licenses and ignoring why they do, she also ignores that her customers' behavior signals that they want Oracle to do better.


Previous Page  1  2 

Sign up for MIS Asia eNewsletters.