Mary Ann Davidson, CSO of Oracle, unleashed a firestorm of controversy this week thanks to a misguided and ill-advised blog post. Davidson ranted about customers doing independent vulnerability scans to detect flaws in Oracle code and stressed that any poking around in the Oracle code is a violation of the licensing terms of service. On top of being inappropriate in its tone and unbecoming of a C-level executive at a company like Oracle, the blog post alienates both customers and security researchers in a way that doesn\u2019t benefit anyone. Oracle has since removed the post, but the genie is out of the bottle and the public relations damage is already done.Davidson explained in her post:If we determine as part of our analysis that scan results could only have come from reverse engineering (in at least one case, because the report said, cleverly enough, \u201cstatic analysis of Oracle XXXXXX\u201d), we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer\u2019s behalf \u2013 reminding them of the terms of the Oracle license agreement that preclude reverse engineering, So Please Stop It Already. (In legalese, of course. The Oracle license agreement has a provision such as: "Customer may not reverse engineer, disassemble, decompile, or otherwise attempt to derive the source code of the Programs..." which we quote in our missive to the customer.) Oh, and we require customers\/consultants to destroy the results of such reverse engineering and confirm they have done so.To be fair, Davidson is technically correct about the legalities of reverse-engineering the Oracle code as governed by the license agreement. Punishing customers or security researchers for doing due diligence and discovering flaws that Oracle itself has missed, however, is a good way to lose customers.\u201cModern security means taking a broad approach and that includes working with the research community. It is common for older companies to fear security researchers,\u201d explained Katie Moussouris, Chief Policy Officer of HackerOne. \u201cHowever, even companies with older code bases and broad enterprise support and compatibility issues can still make incentives, or bounties, that create a win-win-win between the security research community, the company, and ultimately the customers who benefit from greater security. As I always say, Don't Hate the Hacker; Hate the Vuln.\u201dBrenden Vaughan, Director of Threat Research\u00a0for Webroot, said, \u201cPersonally I think it does no one any good to attempt to prevent customers from looking for security flaws in any software or operating system. Cybercriminals will not stop attempting to find vulnerabilities they can exploit, so it is of vital importance that a white hat attempt to find them first.\u201dOracle may very well have top-notch developers and security researchers vigilantly analyzing code to identify and resolve all detected flaws. Once software is released in the real world, though, it is subject to unique scenarios and conditions that expose it to risks Oracle may never have considered. Morey Haber, VP of technology for BeyondTrust, stressed that cybercriminals and foreign nations don\u2019t care about Oracle\u2019s licensing agreement. \u201cThey will stop at nothing to find a flaw and leverage it against our companies, infrastructure, and government. That\u2019s what keeps hitting the news. So unless we have similar teams conducting the same research and investigation independently, we will be at a disadvantage to their attacks and findings.\u201dConsensus in the security researcher community generally supports the idea that the issue is more about disclosure\u2014when and how a researcher makes a given flaw or exploit public\u2014rather than the research to discover the vulnerability itself.Vaughan said, \u201cThere is a very strong motivation for security experts to publically release their findings for personal gain and bragging rights among their peers. One need only attend a few of the briefings at Black Hat or Defcon to observe this first hand. It is seen as an achievement to find and demonstrate new exploits.\u201dHaber sympathizes with Davidson\u2019s perspective\u2014especially for vulnerabilities that are disclosed without adequate time for the vendor to address the issue. \u201cThe process really needs to be managed, and not by the independent researcher that finds a vulnerability in the first place. I can only imagine the amount of information that crosses Oracle\u2019s security desk, and the amount of energy it takes to prove or refute a vulnerability claim; especially when the results being submitted are questionable to begin with.\u201dHaber added, \u201cFrom my perspective as the VP of Technology, and reading the original post and subsequent reply, this is the best interpretation I can give of their feelings and frustration with the current state of vulnerabilities, disclosure, and due diligence by any company to make secure solutions."As it turns out, the wording of the licensing agreement may not give Davidson or Oracle the right to block security research anyway. Moussoris shared that the Copyright Office has had a public hearing and is considering carving out a specific niche within the Digital Millennium Copyright Act (DMCA) exempting security research and protecting security researchers from the sort of legal harassment and bullying Davidson professed.