Updated While other IT industry heavyweights have embraced bug bounties and working with security researchers more generally, Oracle has set its face in the opposite direction in a blog post likening reverse engineering to cheating on your spouse.
Mary Ann Davidson, Oracle's chief security officer (CSO), expressed corporate dislike from the software giant for both reverse engineers and bug bounties in a long blog post on Monday. The post was pulled on Tuesday lunchtime, but its contents remain available via the Internet Archive here.
More ReadingTime to lop off Europe's confusing IT rules, says pressure groupIntel Security hires ex-Cisco and Avaya man to run global channelsWe're saving tax payers' money on Oracle licensing, honest, says Gov.ukRow rumbles on over figures in Oracle CSO’s anti-security rantBreaking bad: Oracle's Unbreakable Linux website takes a break
The tone of the post as a whole is reflected in Davidson's dismissive approach to bug bounties as a waste of money, at best, and naked hostility towards any attempt to reverse engineer Oracle's code.
"Bug bounties are the new boy band (nicely alliterative, no?)," Davidson wrote. "Many companies are screaming, fainting and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87 per cent of security vulnerabilities ourselves, security researchers find about 3 per cent and the rest are found by customers."
"I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on."
This attitude is in marked contrast to the likes of Google, Microsoft and Facebook, who have all thrown their weight behind their corporate bug bounty programmes.
Davidson goes on to bemoan users looking for vulnerabilities in its code, arguing that they are breaking licensing agreements and that third-party consultants are also bound by them by extension.
It doesn't matter that criminal hackers and intel agencies do reverse engineer Oracle’s code to look for vulnerabilities, according to Oracle. Customers and their suppliers still need to toe the line, whatever their motives, and stick by licensing agreements.
"Oracle’s licence agreement exists to protect our intellectual property," Davidson wrote. "'Good motives' – and given the errata of third-party attempts to scan code the quotation marks are quite apropos – are not an acceptable excuse for violating an agreement willingly entered into. Any more than 'but everybody else is cheating on his or her spouse' is an acceptable excuse for violating 'forsaking all others' if you said it in front of witnesses."
Oracle's essential line is that everyone should stop reversing its code, respect its licensing agreement and trust its infosec assurance programme to fix problems that crop up rather than kicking the wheels and looking underneath the bonnet themselves.
Oracle has a long and fractious relationship with security researchers.
Some of this animus can be traced back to Oracle's hubristic claims that its database software was "Unbreakable" in a high-profile marketing campaign. David Litchfield, the Scottish security researcher who did more than anyone to deflate these claims back in 2002, reckons that Oracle's current stance is chiefly an attempt to discourage corporate customers from using third-party app security tools. Litchfield explained: "It's directed at @Veracode and their customers that use it on Oracle code. Besides, you don't need to RE [reverse engineer] to find bugs in Oracle :)"
Davidson's post and arguments were not well received among security types more generally.
"Oracle's legal threats for security researchers who 'reverse engineer' their products is just part of a larger war on researchers," said infosec researcher Rob Graham, the developer who created the BlackICE intrusion prevention tool.
"Oracle cares more about protecting its intellectual property than their customers," added Brian Honan, the independent security consultant who runs Ireland's CERT – a sentiment echoed by other infosec experts.
Rather than shooting the messenger (the fate of bearers of bad news in Ancient Greece), Oracle is advocating "suing the messenger", according to some.
Per Thorsheim, founder of the PasswordsCon, noted sarcastically "Luckily Oracle software is Unbreakable. ;-)
A few (very much the minority) expressed sympathy towards Oracle.
"If you don't sympathize with the CSO of Oracle you have never had someone give you a Nessus report and tell you to fix everything in it," said Jerry Gamblin.
Others argued Oracle needed to rethink its security policy, as Microsoft did a decade ago starting with Bill Gates' Trustworthy Computing memo of 2002.
"I hope Oracle will soon issue a Microsoft-style Trustworthy Computing memo," said Jeremiah Grossman, founder and CTO of WhiteHat Security."Their software is too important for the current policy to stand." ®
Is Davidson's blog post, entitled 'No, 'You Really Can’t', a tribute to fictional New Labour spin doctor Malcolm Tucker?
The opinions expressed are so forceful that some Reg staffers as well as a few infosec experts originally thought the blog post was part of an elaborate hack.
Updated to add
"The security of our products and services has always been critically important to Oracle," the company's Edward Screven, executive vice-president and chief corporate architect, insisted to El Reg in a statement.
"Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers."