Oracle CSO to customers: we don't need your (false positive) bug reports
The condescending tone of the blog that sets down her objections rankled readers and presumably customers so much so that Oracle took it down, but not before it was cached.
One excerpt from CSO Mary Ann Davidson's blog: "Now is a good time to reiterate that I'm not beating people up over this merely because of the license agreement. More like, "I do not need you to analyze the code since we already do that, it's our job to do that, we are pretty good at it, we can unlike a third party or a tool actually analyze the code to determine what's happening and at any rate most of these tools have a close to 100% false positive rate so please do not waste our time on reporting little green men in our code." I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying, and mutually-time wasting exercise."
The flap over the blog prompted this explanation from the company: "We removed the post as it does not reflect our beliefs or our relationship with our customers," wrote Edward Screven, Oracle executive vice president and chief corporate architect, in a press statement emailed the IDG News Service Tuesday.
Davidson has a point. Customers' licensing agreements do say they aren't allowed to mess with the code, which is apparently what they do in order to come up with some of the bugs they say they've found.
Davidson says a lot of them aren't actually bugs, and that the customers who send them in as such just don't understand what bugs are. And the issues customers report can be hundreds of pages long and take too much time to check out.
Which all may be true, but it's not a very slick way to deal with customers and generate goodwill. Better to stick to the path she'd been following, which is to send letters reminding customers when they violate the agreements telling them to stop privately.
One troubling aspect of Davidson's rant was this statistic: "Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers." So that means 10% of vulnerabilities worth acting on are discovered by customers, the ones she's telling to stop looking for bugs. Apparently she's willing to let that 10% go undiscovered in the name of upholding the licensing agreement.
She's not big on bug bounties, either, a method many software vendors employ to find and then correct flaws with their software. "Bug bounties are the new boy band (nicely alliterative, no)," she writes. "Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn't secure."
She doesn't at all address the issue of software liability, something that lurks behind her customers' unacceptable behavior. It's an issue that comes up more and more among independent software security researchers the white-hat hackers. At the Black Hat conference last week its founder, Jeff Moss, remarks mentioned Oracle in particular as a software vendor that currently doesn't need to buy liability insurance like airplane manufacturers do just in case their products fail.
Now, their license disclaimers and those of other software vendors in general state that they don't guarantee much at all about the quality of their products, he says. But that should change, Moss says, in order to light a fire under software vendors to write more secure code.
Security expert Bruce Schneier, speaking at last week's DEF CON, also called for software liability. He says he realizes that making software live up to a liability standard would mean higher prices. "The cost would be passed on to us be at least we'd get better security for it," he says.
Davidson had a bad day, for sure, when she wrote that blog, but by blaming customers for violating licenses and ignoring why they do, she also ignores that her customers' behavior signals that they want Oracle to do better.