Row rumbles on over figures in Oracle CSO’s anti-security rant Security researchers picking through the entrails of a withdrawn blogpost by Oracle CSO Mary Ann Davidson reckon not even her figures add up. Oracle countered that only it had access to the raw figures, so there. Davidson's 3,000+ word diatribe against bug bounties, security researchers or customers hunting vulnerabilities in …
"does not reflect our beliefs or our relationship with our customers" Many years experience with Oracle says that rant was a perfect reflection of their attitude and relationship with customers. If you're a clueless VP who can override IT purchasing decisions, it's a different story, of course.
Since otherwise I'd have written a few hundred lines of code and generally we reckon on a bug of some sort in every few lines and (until proven otherwise) let's regard them as insecurities.
Armed with this new Oracle methodology I'll be sure to go to the pub later and heroically avert another few dozen. No need to thank me boss; picking up my bar tab will suffice...
Lies, damn lies and statistics.
Did Adam Gowdiak count each individual bug reporter as a seperate entity. i.e. if I found 2 seperate bugs at different times is that 1 customer reported bug accreditation or 2? And how did Davidson count them?
Perhaps they should put it in a database (take your pick, many out there!!!) and do a SQL SUM() on the bugs list?
That really doesn't help the picture.
Oracle are claiming they find and fix thirty times as many security vulnerabilities as are revealed to the public. Even if that happens before the code in question is released, there's something very wrong with Oracle's development process, given the number of issues that are published.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
