Oracle's security chief made a big gaffe in a now-deleted blog post

A scathing and now-deleted blog entry from Oracle Chief Security Officer Mary Ann Davidson said that the company does not welcome security researchers who point out flaws in its software and warned customers that anybody who tries to reverse-engineer Oracle code to find security vulnerabilities is "almost certainly violating [their] license agreement."

Oracle removed the post, and quickly distanced itself from it.

"We removed the post, as it does not reflect our beliefs or our relationship with customers," wrote Edward Screven, an executive VP and Oracle's Chief Corporate Architect.

It's not uncommon for Oracle customers (or Microsoft customers or IBM customers or many others) to hire security professionals to poke and prod at the software for which they paid hundreds of thousands of dollars, reporting any vulnerabilities back to the mothership. 

Some technology companies are grateful for the report: Microsoft, for example, runs a variety of security bug bounty programs that pay anywhere from $500 to $100,000. Many big companies would rather incentivize security experts to come to them first, giving their engineers the chance to patch things up before that hole becomes more widely known to potential attackers.

Apparently, Oracle's Davidson feels differently. In her post, she suggested that doing certain types of security research violates the company's intellectual property rights.

Davidson wrote:

Moreover, Davidson said that Oracle is better than any researcher at spotting bugs, and that those researchers send a lot of false positives, "so please do not waste our time on reporting little green men in our code."

Instead, Davidson asked Oracle customers to make sure their own computing infrastructure is locked down, because Oracle can handle its end of the bargain. 

If you do report a legit bug, Davidson wrote, "we may not like how it was found but we aren't going to ignore a real problem - that would be a disservice to our customers." But don't expect a bounty any kind of credit, Davidson wrote.

"We will also not provide credit in any advisories we might issue. You can't really expect us to say 'thank you for breaking the license agreement.'"

The irony is that Oracle has endured a lot of security vulnerabilities over the years that were only pointed out by these independent researchers, enabling the company to fix things up. It's also at odds with Oracle's official vulnerability reporting page, which says "Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued."

Again, Oracle has since removed the post. Oracle's Screven issued the following full statement: 

A copy of the original post has been saved on Scribd and is embedded below:

No, You Really Can't (Mary Ann Davidson Blog) by Owen

 

NOW WATCH: Tom Hardy makes a crazy transformation playing identical twins in this new gangster movie

Please enable Javascript to watch this video