Boy, this is worth a read: Oracle’s chief security officer, Mary Ann Davidson, has an op-ed piece on CNet in which she attempts to blast some security researchers (in particular, she links to this story on Alexander Kornbrust, so I assume he’s target #1). I don’t think I would have taken her approach, for two reasons. One is that it’s going to inflame the BlackHat crowd, and will undoubtedly result in Oracle’s vulns getting much more press than they would otherwise– remember, the tech press loves controversy.
The other reason is that, given Oracle’s recent security troubles, she would have been better off to talk about how Oracle is addressing the legitimate concerns its customers have. She’s right that fixes to even simple vulns still have to go through a full test and release cycle, but she’s being disingenouous in claiming that Oracle has been responding in a timely manner to the notifications they’ve received. They haven’t (and this is not new behavior).
Fearless prediction: Oracle will get publicly spanked by Kornbrust, Litchfield, and probably some others during BlackHat. Davidson will be unrepentant.
Paul's Down-Home Page 