When I was a kid, I remember going to the barber shop with my brother, who was given an “unbreakable” comb by the barber. My brother promptly snapped it into two pieces. It was not unbreakable to him.
I am reminded of this story because Oracle CSO Mary Ann Davidson published (and subsequently deleted) a blog post decrying security researchers that “reverse engineer” Oracle software to identify vulnerabilities, claiming it was a violation of Oracle’s licensing agreements.
Davidson made many inflammatory remarks that have incensed the security community, such as comparing bug bounty programs to boy bands with companies throwing their underwear at security researchers (gross). And yet, Davidson admits “Ah, well, we find 87% of security vulnerabilities ourselves.”
Ah, well, that still leaves a pretty significant security gap, doesn’t it?
In regard to patching vulnerabilities, Davidson contends “We will also not provide credit in any advisories we might issue. You can’t really expect us to say ‘thank you for breaking the license agreement.’”
It’s a strange attitude for a CSO. In contrast, tech giant Microsoft recently announced that it was doubling its bug bounty program from $50,000 to $100,000. Recently United Airlines rewarded a researcher with one million miles for identifying a bug. Even Tesla pays a nominal reward.
To give Davidson the benefit of the doubt, as CSO of Oracle, it is her job to improve its security. As Davidson notes “I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues.”
This opinion seems pretty similar to comments Microsoft security chief Mike Reavey made in 2012, “I don’t think that filing and rewarding point issues is a long-term strategy to protect customers.”
Perhaps Oracle will experience the same change of heart as Microsoft, now that Davidson’s comments have been made public. To be certain, Oracle is sure to be feeling the heat from the security community.
As CSO security reporter George Hulme aptly Tweeted:
“BREAKING NEWS: APTs and cyber criminals announce they will no longer reverse engineer Oracle because it is a violation of the terms”
In other words, when security vulnerability research is outlawed, only the outlaws will research security vulnerabilities to exploit Oracle users.
Recently, Bromium Chief Security Architect Rahul Kashyap spoke with CSO about responsible vulnerability disclosure, concluding that “Full Disclosure is a spirit, it’s an attitude — you cannot kill that easily with laws and layers of documentation.”