Thoughts on Oracle’s CSO blog post two step

As the weary travelers made their way back from the desert they found themselves sitting in hotels, airports and on planes staring in disbelief at their screens at what they were reading. Fresh from the collective insanity that is BSidesLV, Blackhat and DEF CON so many security types were scratching their noggins trying to make heads or tails of what the CSO for Oracle had just posted on their corporate blog.

The CSO for Oracle, Mary Ann Davidson, went off on an epic diatribe about how researchers should stop trying to find bugs in Oracle products. The gist being that they had a handle on things. This would not be nearly such a catastrophic facepalm were it not for the nature of the post and the fact that her own company took it down. But, thanks to the miracle of modern caching the post remained on Google for a spell and was reposted on Pastebin as well as other sites.

The post went on to outline that Oracle would lay a beat down in the form of a nasty-gram for customers who reverse engineer their software. I never received such a letter when I found a problem in one of their products but, to be fair that was years ago.

The reactions were all over the spectrum. Some were of a mind that the Oracle post was the result of a third party breaching their system. Others were pondering in numerous other scenarios. Was it even Davidson that wrote it? CNN reporter, Jose Pagliery, mentioned on social media that he had received a reply from Oracle when he made an inquiry as to what was going on.

This is what they had to say, “The security of our products and services has always been critically important to Oracle. Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”

Ouch. It appears that Davidson may have deviated from the corporate message. This lead to a deluge of jokes at the expense of Oracle. I can get the idea as to what she may have intended with that post. But, it certainly failed in its execution.

Davidson let fly the vitriol at bug bounty programs as well in this passage,

“ Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers.”

I’m somewhat curious as to the level of frustration that drove the Oracle CSO to this point. This post was rife with it. What I’m afraid that was accomplished here was to raise the ire of the security community and cause an unmotivated wider audience to start taking swings at Oracle products.

Here is the full post on the Wayback Machine.