Oracle has taken down a blog post published by the firm’s chief security officer that featured scathing comments about security researchers and bug bounties.
The post by Mary Ann Davidson has since been removed from the official website, yet remains online thanks to a number of web archives.
“Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. This is why I’ve been writing a lot of letters to customers that start with ‘hi, howzit, aloha’ but end with ‘please comply with your licence agreement and stop reverse engineering our code, already’,” wrote Davidson.
Davidson said that if a “sinning customer” goes against the product licence agreement in an attempt to reveal a security flaw they will be met with a legal response.
“If we determine as part of our analysis that scan results could only have come from reverse engineering we send a letter to the sinning customer, and a different letter to the sinning consultant-acting-on-customer’s behalf reminding them of the terms of the Oracle licence agreement that preclude reverse engineering, so please stop it already,” she wrote.
Again focusing on reverse engineering, Davidson said that, even if a researcher discovers a legitimate concern, it doesn’t justify the action.
“Just like you can’t break into a house because someone left a window or door unlocked. I’d like to tell you that we run every tool ever developed against every line of code we ever wrote, but that’s not true,” the post continued.
“Please do not waste our time on reporting little green men in our code. I am not running away from our responsibilities to customers, merely trying to avoid a painful, annoying and mutually-time wasting exercise.”
Davidson also attacked bug bounties, the process of offering a reward for the discovery of security vulnerabilities, describing them as “the new boy band”.
“Many companies are screaming, fainting and throwing underwear at security researchers to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87 percent of security vulnerabilities ourselves, security researchers find about three percent and the rest are found by customers,” she wrote.
Bounties are used by major technology firms including Facebook, Google, Yahoo and Microsoft. Most recently, Microsoft raised its bounty to up to £65,000 after the release of Windows 10.
Despite Davidson’s resolute security position, Oracle recently announced 193 critical security fixes, including 25 for Java, 23 of which were thought to be remotely exploitable.
V3 contacted Oracle for comment about why the blog post was taken down but had not received a reply at the time of publication.
Meanwhile, security experts on Twitter have been outspoken about the removal of the Oracle blog and have started to mirror the original version.
Oracle *really* hates both reverse engineers and bug bounties: https://t.co/46UhuUtqmk PS. Yes, this is the company behind Java.
— Mikko Hypponen (@mikko) August 11, 2015
So was that oracle blog post authentic or did some people at defcon decide it would be funny to write a MAD satire?
— Stefan Esser (@i0n1c) August 11, 2015
An archived version of *that* Oracle blog post (now deleted from their site) without the irritating cookie popup: https://t.co/e97aY009FC
— Graham Cluley (@gcluley) August 11, 2015
Meanwhile Chris Wysopal, the chief technology fficer of Veracode said that Oracle’s stance was backwards looking and ignored the realities of modern day security standards.
“Discouraging customers from reporting vulnerabilities or telling them they are violating license agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.”