back to article Oracle pulls CSO's BONKERS anti-bug bounty and infosec rant

While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse. Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike …

  1. Paul Crawford Silver badge
    WTF?

    Even more reason, as if more was actually needed, to keep clear of Oracle products in every shape or form.

  2. Anonymous Coward
    Anonymous Coward

    Oracle - the people who brought you Java

    Which is a beacon of quality and vulnerability free software....

    1. Anonymous Coward
      Anonymous Coward

      Re: Oracle - the people who brought you Java

      Actually they bought it, but they definitely own it.

      1. Nolveys
        Trollface

        Re: Oracle - the people who brought you Java

        Actually they bought it, but they definitely own it.

        Everyone owns Java. "Own" is spelt with a "p", yes?

        Hey, Mary, that 3% of bugs are the exact same 3% that The Wrong People will most likely find, you silly twit.

        1. Anonymous Coward
          Anonymous Coward

          Re: Oracle - the people who brought you Java

          @Nolveys: It is worse than that...

          Ah, well, we find 87 per cent of security vulnerabilities ourselves, security researchers find about 3 per cent and the rest are found by customers."

          "I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem

          If they find 87% then they're throwing the money at the 13% they don't find. Personally, I'd prefer it if bugs were found internally, then by bounties, and never by the end customer - it shows they don't give a fuck. I despise the shitbag of a company.

          "Oracle, putting the cunt into company"

  3. Naughtyhorse

    Amazing....

    Just from the power of words alone i get a picture forming in my head.....

    mom from Futurama.

    probably grossly unfair, but it did actually happen.

    1. mi1400

      Re: Amazing....

      Dear Journos at AlReg ... $10-30K/bugbounties maybe the price of most expensive thing u have ever imagined/fantasized or equal to several dozen salaries you could get at once... but the hackers or likes by selling elsewhere can get 10x better than this,, i understand and knew that ur brain froze doing 10x of $10,000 but its understandable as there has to be people (think journos) in lowest layer food and intellect chain. I am no fan of oracle but this new bitchword bugbounty is a new wrapper on same earlier bitchword "opensource" specially in a post NSA world.

  4. Anonymous Coward
    Anonymous Coward

    I've had somebody bringing me a Nessus security audit...

    ... and the stuff in it was actual security issues in Oracle Solaris, in FOSS code they used.

    But when I called Oracle support, they neither confirmed nor denied the existence of any security vulnerability, since nothing had been Officially Announced, and no, of course they would not give me any workaround, countermeasure, or even an ETA for a fix.

    Red Hat had, of course, already provided an update for the same vulnerability, and provided details about it.

    So, I still lack any sympathy for *the* person whose management in Oracle made me ditch Solaris completely in favour of RHEL.

  5. Anonymous Coward
    Anonymous Coward

    As a bug hunter...

    I concur... when you start running in the bug bounties or just independently declaring CVE's, you quickly learn that there are two companies - notably Oracle and Cisco, that are particularly hostile when you present bugs to them (barely veiled legal threats). It has, of course, the logical effect of leaving discovered bugs undeclared because there is no motivation to do so. If anyone wanders the darknet you'll see the session puzzling bugs in Oracle products are all the rage at the moment...... if they don't want to get involved in common sense vulnerability programs, I'm sure infotomb and pastebin will find a way to get the bugs to the public. :)

  6. Anonymous Coward
    Anonymous Coward

    Your house belongs to the Oracle

    «Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.»

    In Oracle's viewpoint, if the lock vendor of your house's doors made them defective, so the doors won't close - well, too bad, you are not allowed to do anything about it, not allowed to call in a locksmith, and of course, not allowed to complain about it.

    Just wait until the lock vendor provides you with a fix, which is done on a fixed schedule of once every quarter.

    I am amazed by her inability to find a less awful metaphor.

    1. Tom 7

      Re: Your house belongs to the Oracle

      Perhaps because there isn't one.

    2. YetAnotherLocksmith

      Re: Your house belongs to the Oracle

      «Sigh. At the risk of being repetitive, no, it doesn’t, just like you can’t break into a house because someone left a window or door unlocked.»

      Of course it does! If I can go through the open window or unlocked door, why the heck would I try picking the lock?

      She clearly doesn't actually know any locksmiths, nor much about the bad guys trying to get in.

    3. Roo
      Windows

      Re: Your house belongs to the Oracle

      "I am amazed by her inability to find a less awful metaphor."

      The Oracle Chief Security Offiicer's post illustrated a depth of ignorance and willful stupidity that I would be amazed if they were capable of remembering to breathe by themselves. Mary Ann Muppet really should know better given that she's been dabbling in security biz at Oracle for 22+ years.

      1. Mark 65

        Re: Your house belongs to the Oracle

        Mary Ann Muppet really should know better given that she's been dabbling in security biz at Oracle for 22+ years.

        Yes, but is she a security person or just some admin mouthpiece that was put into a role nobody wanted to do a long time ago and has been promoted for her rampant sycophancy ever since? Every company has one.

  7. Anonymous Coward
    Anonymous Coward

    why do theese people rise to the top in companies?

    To paraphase Blur, it's not cream that floats to the top.......it's shit that floats!

    1. Captain DaFt

      Re: why do theese people rise to the top in companies?

      Look at any stagnant pond, scum tends to rise to the top.

    2. Anonymous Coward
      Anonymous Coward

      Re: why do theese people rise to the top in companies?

      Lesson number 1 of large corporations - sycophancy will get you an awfully long way. Nobody in senior management likes hearing the phrases "no" or "you're wrong". If you want to go far just pretend that they're not fucking idiots. Alternatively just pride yourself on having some integrity.

      Moral of this tale - integrity comes at a cost.

    3. Mr. Flibble

      Re: why do theese people rise to the top in companies?

      Maybe she's a leftover from the merger with Micros Fidelio - I didn't have a particularly high regard of them in terms of security either...

  8. theOtherJT Silver badge

    Doesn't surprise me.

    Given how awful every Oracle product we're forced to run here is it feels like the entire culture at Oracle is abusive toward their customers.

    Honestly, I get the impression that their entire business model revolves around winning contracts on name recognition alone and then once they've got you locked in, doing the exact minimum required to ensure that it's harder to change to another product than live with the problems the thing they sold you has.

    1. Sir Sham Cad

      Re: entire culture at Oracle is abusive

      Oracle as a company are just fucking disgusting, to be honest.

      Not necessarily to do with anything in the article, either. I just can't stand their corporate practice. This threatening behaviour and ostrich approach to infosec is just one more shit cherry on the turd cake of Corporate Oracle, for me.

      In other news: I don't like Oracle very much.

    2. Anonymous Coward
      Anonymous Coward

      Re: Doesn't surprise me.

      once they've got you locked in, doing the exact minimum required to ensure that it's harder to change to another product than live with the problems the thing they sold you has.

      That's not just Oracle, you've just described enterprise software in general. Oracle is one of the worst offenders but they hardly have a monopoly.

    3. Anonymous Coward
      Anonymous Coward

      Re: Doesn't surprise me.

      Given how awful every Oracle product we're forced to run here is it feels like the entire culture at Oracle is abusive toward their customers.

      Try being a developer - it is one of the most confrontational, pain in the arse to use databases I have ever some across. Sure it's powerful, with reams of features the vast majority of clients will never ever use but otherwise it is a shitbag. Beautiful little intricacies like how, in some cases, it can view a date as a timestamp and start table-scanning rather than using a date-based index unlike most other systems.

      Overpriced shit.

  9. John H Woods

    "just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem..."

    Well, on a strictly economic basis, until you've established that the 'lot of money' is actually greater than 3% of the problem, the question is meaningless.

    1. GrumpyOldBloke

      The sentence should read; why would I throw a lot of money at 3% of your problem.

      That clarifies the economic argument.

  10. Destroy All Monsters Silver badge
    FAIL

    I remember "Unbreakable Linux" from this club of gentle(wo)men

    An appropriate frenchism: Fart Higher Than One's Arse

    Common sense says to move away from official Java as fast as possible.

  11. Anonymous Coward
    Anonymous Coward

    The Donald Trump of software companies

    As soon as someone - anyone - says anything negative about you, no matter how true, attack, attack attack. And the more personal you can make it, the better. Bullies never learn until someone kicks them in the teeth.

  12. Captain Scarlet

    Customer finding bugs

    I think customers should start using the Bug Bounty Program, if researchers get paid why don't you as a customer?

  13. Cronus

    It's not just about economically finding bugs...

    Anybody with access to Oracle's software can discover vulnerabilities and I'm sure there's plenty of security researchers out there who'd be tempted to sell exploits to crimeware developers or worse, imo, to governments. Bug bounties at least offer another paid alternative.

  14. smudge
    FAIL

    Sensational historical revelation!

    ...shooting the messenger (the fate of bearers of bad news in Ancient Greece)

    The Ancient Greeks had firearms?

    1. Gordon 10
      FAIL

      Re: Sensational historical revelation!

      They had plenty of missile weapons from slings to bows to spears.

      1. smudge
        FAIL

        Re: Sensational historical revelation!

        Of these, "shooting" could apply only to bows.

        And I don't think the Greeks would bother doing that since they could probably just hit the bloke with a very large stick....

        1. Naughtyhorse

          Re: Sensational historical revelation!

          but 'hitting the messenger with a large stick' doesn't scan.

          In fact it sounds like a bit of a(n - sounds... yuk) euphemism, in the best Finbar Saunders tradition.

          1. Grikath

            Re: Sensational historical revelation!

            "Plutarch's Lives states: "The first messenger, that gave notice of Lucullus' coming was so far from pleasing Tigranes that, he had his head cut off for his pains; and no man dared to bring further information. Without any intelligence at all, Tigranes sat while war was already blazing around him, giving ear only to those who flattered him." "

            Don't lose your head? ;)

            1. Stevie

              Without any intelligence at all, Tigranes sat while war was already blazing around him

              Who would have thought that George W Bush was such a student of ancient history?

  15. vordan

    I'll just sit and wait for the next big security breach in Oracle's product.

    And enjoy this b*tch's red face...

    1. Anonymous Coward
      Anonymous Coward

      Regrettably it will be red from shouting at whoever reported it

      and then at the internal staff who permitted the breach - who (extrapolating wildly from the shiny 10% of the shiteberg we can see poking above the water) are probably demoralised and micro-managed

      You can be sure it won't be red with embarrassment and a belated recognition of hubris. Those would be nice grown-up characteristics, and so thoroughly helpful for senior management of that sort of firm.

    2. Pookietoo

      Re: Security breach ... red face

      I suspect she may not be at Oracle much longer, because she needs to spend more time with her family.

    3. sabroni Silver badge

      re: And enjoy this b*tch's red face...

      Misogynist much?

  16. Anonymous Coward
    Anonymous Coward

    If I'm not allowed to check

    If I'm not allowed to test/check or outsource someone to check that my Oracle deployment is secure, does that mean Oracle will cover the lawsuit if it turns out someone does hack it using an Oracle bug?

    1. Anonymous Coward
      Anonymous Coward

      You[*] are allowed to check your Oracle license agreement though

      where you might well find that in the event of a hack[**] you will compensate Oracle for bringing their good name[***] into disrepute.

      [*] that's you only - surely it'll be confidential so you discuss it, post substantive extracts online, and absolutely mustn't disclose pricing. The sheep must be fleeced one at a time.

      [**] a legal fiction, since in reality it is unbreakable

      [***] also a legal fiction, presuming an audience that has yet to hear of the company. For such an audience you must concede it's a pretty good name, verging on cool.

  17. Henry Wertz 1 Gold badge

    I didn't agree to any agreement

    ""If you don't sympathize with the CSO of Oracle you have never had someone give you a Nessus report and tell you to fix everything in it," said Jerry Gamblin."

    This just tells me to not hire Jerry Gamblin for anything important. A) I've run Nessus against my infrastructure (admittedly long long ago), and the report was short, fixing everything on it was no big deal. Because I took security seriously to begin with. B) I don't like having a system that works but it shoddy. Therefore, I don't dread a report where I should fix evertything on it, I welcome it, because it makes the system better. The "stick your head in the sand" technique of just not wanting to know what is wrong is not the right way to go, especially if you're on the open internet, others WILL know and thoroughly pwn your setup if you try this for long.

    Regarding this CSO's mad rant.... bzzt, unless *I* checked the box or signed the contract agreeing to your licensing agreement, I didn't agree to any licensing agreement!

  18. Erik4872

    She's not going to win any friends like that...

    This was a very unprofessional post from the CSO. You'd expect something like this from a kid who thinks they know everything. I guess Larry likes to hire corporate officers that share his personality.

    That said, I do wonder how many of Oracle's incoming reports are submitted by kids running exploit hunting kits they download on the Internet and don't understand the output of. Hiding behind the license agreement isn't an acceptable answer, for the record, but I imagine that reports like this can get tiresome. I know the security research field has grown up slightly, but I often see examples of "researchers" trying to make names for themselves by showing more than a little hubris.

    I'm sure Microsoft, Cisco, etc. have boilerplate text somewhere in their agreements preventing reverse engineering as well. That doesn't mean it doesn't happen!

  19. Anonymous Coward
    Anonymous Coward

    Bad writing

    The thing that got me was how badly the post was written.

    Yes, this is a blog post, but Davidson is supposedly a C level executive!

    On the other hand, I hope the fiction she co-writes is more readable than that rubbish post.

  20. Fungus Bob

    Wowsers

    Must be nice to have enough money to be completely divorced from reality.

  21. Mikel

    Make that

    Oracle's former CSO.

  22. Anonymous Coward
    Anonymous Coward

    "Ah, well, we find 87 per cent of security vulnerabilities ourselves,"

    Is this something to be proud of?

    Feels like bragging that the developers produce buggy code...

  23. Conrad Longmore
    Coat

    Just finished reading the new Maddi Davidson murder mystery..

    It turns out that the customer did it.

  24. Anonymous Coward
    FAIL

    "Mary Ann Davidson, Oracle's soon to be former chief security officer."

    Yoooouuuu... Twat!

    1. Anonymous Coward
      Anonymous Coward

      Someone doesn't like House of Fools then...

  25. Anonymous Coward
    Anonymous Coward

    2 hours into a support call ...

    True story of Oracle support.

    We're experiencing, since the latest Oracle provided patch, memory leaks in our Oracle Application production instance. This is forcing us to reboot a 20 000 users environment every 24 hours. In the third day, 2 hours into a conference call with our CTO and a few other big wigs, the Oracle representative says the following. This is an exact quote.

    "Why should I help you with your problem?"

    The CTO, not missing a beat, replied "Because I have a 250 000$ check for our quarterly licence fees on the corner of my desk and I am not signing it until this is fixed"

    Yea, awesome service Oracle.

    1. Naselus

      Re: 2 hours into a support call ...

      "The CTO, not missing a beat, replied "Because I have a 250 000$ check for our quarterly licence fees on the corner of my desk and I am not signing it until this is fixed""

      I get the feeling he didn't miss a beat because he's had this exact conversation with Oracle a few times before.

    2. Mark 65

      Re: 2 hours into a support call ...

      I'm surprised they didn't respond with "well then you'll have to immediately stop using our products if the fees are not paid". They seem like the sort to do so.

  26. Anonymous Coward
    Anonymous Coward

    "The rest are found by our customers..."

    ... much to their annoyance when they are trying to get on with their main business that relies on their database working as expected.

    Yep, Mum from Futurama fits (credit - a post somewhere above this one).

  27. Mephistro
    WTF?

    Numbers, numbers...

    "... security researchers find about 3 per cent and the rest are found by customers"

    So they think it's OK for their customers to suffer find a 30% more vulnerabilities than they would find if a bug bounty program was in place?

    Corporate cultures can be so-so, bad, terrible, and then there is Oracle.

  28. Anonymous Coward
    Anonymous Coward

    We're in the midst of an annual Oracle license audit/anal probe and it's a nightmare. I am continually astonished that they are still in business. Every vendor has their issues with licensing, sometimes really ugly ones, but Oracle goes in dry. They don't even give you a reach-around. They're a cut above in their utter douchebaggery. Reminds me a lot of Sun under Scott McNealy, whose sole operating philosophy in sales was to slam the competition and in a really ugly and mean-spirited way. Ellison seems to rule his team in exactly the same manner. And to boot it's not like their software is even half decent. Their enterprise software in particular utter crap cobbled together from a thousand acquisitions.

  29. PassiveSmoking

    Thanks, Oracle. I was beginning to run out of reasons for utterly despising you.

  30. Anonymous Coward
    Thumb Up

    Anyone read any of Ms Davidson's books? Are they as well written, witty and completely non-patronising as her blog?

  31. Jeff 11

    "I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on."

    Maybe because defensive, top-down, bureaucratic corporate culture is only ever an obstacle to security research and bug fixing? Other corporates have recognised that the independence of thought encourages novel approaches to finding those software defects your internal team can't handle.

  32. cat_mara

    I wouldn't wish Oracle on my worst enemy

    As a developer, I actually prefer working with Oracle and PL/SQL than, say, Microsoft SQL Server and T-SQL; I think the former is a better-rounded language than the latter. If I land a contract gig maintaining an Oracle app, I'm happy. But if I were working on a greenfield application, I would *never* recommend a customer go with Oracle because of crap like this. Their salespeople are sharks who will pull every underhanded stunt in the book to earn commission, overselling customers on features they don't even need... then send the auditors in every year or so to extract their pound of flesh again. It's not worth the hassle. Now, I must see how the PostgreSQL emulation of PL/SQL is coming along. :-)

  33. Nordrick Framelhammer

    It is obvious why Oracle don't want bug bounties

    Their products are so full of bugs they would be out of business in a month if they had to pay up on bounties.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like