A bug hunter who promised to disclose one zero-day bug in Oracle databases every day for a week has abruptly cancelled his plans "due to many problems".
It's unclear exactly what those problems are, but Cesar Cerrudo, founder of Buenos Aires-based Argeniss Information Security, said he was "sad and angry" about the decision. He refused to give any more information because he did not wish to create "more problems".
Cerrudo apologised to those who had contributed to the project in a brief note on his website, but offered no explanation for his decision to cancel the initiative, which was announced only last week.
In the original note announcing his plans, Cerrudo said his effort was inspired by a similar Month of Browser Bugs and Month of Kernel Bugs announced earlier this year by other independent vulnerability researchers. "We want to show the current state of Oracle software (in)security (sic)," Cerrudo wrote. He said he wanted "to demonstrate Oracle isn't getting any better at securing its products".
The note went on to add that Argeniss could do a Year of Oracle Database bugs if it chose to. "But we think a week is enough to show how flawed Oracle software is," he had said.
Just this week, another security company, Next Generation Security Software (NGSS) revealed that between December 2000 and November 2006, Oracle's databases clocked up four times as many security holes as the much-derided SQL Server from Microsoft.
Last year, for instance, database vendor Sybase threatened to sue NGSS over its plans to publicly release the details of eight holes it had found in Sybase software. NGSS had already informed Sybase about the holes, and Sybase had already issued patches for them. Even so, Sybase objected to the release of what it considered to be overly specific details of how to exploit the flaws.
Another vendor involved in a similar dispute was Cisco, which last year sought a federal injunction to stop an independent vulnerability researcher from spreading information on how to hack a Cisco router.
There's nothing to show that Oracle may have influenced Cerrudo's decision in the latest instance. But an Oracle blog post noted a "flurry of articles and blog entries" about Oracle security in recent days and criticised security researchers who disclosed the existence of zero-day bugs before a fix is available.
"We consider such practices, including disclosing 'zero-day' exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack," the blog noted without citing any researchers by name. The blog added that Oracle closely monitors the publication of such zero-day flaw information to see whether it poses a realistic threat to customers and, if need be, to issue a patch if it does.
"Ultimately, we seek to work with security researchers as partners for the purpose of making our products more secure," the blog said. "But we do not contract security researchers for competitive research, or for the main purpose of placing them under a contractual 'obligation of silence'."