Oracle is improving its security patch process to make it easier to understand.
With the October Critical Patch Update, the company will begin rating vulnerabilities according to the Common Vulnerability Scoring System (CVSS) - a system backed by Cisco and IBM that attempts to standardise the way security flaws are rated.
Oracle will also provide executive summaries of its security vulnerabilities, and a list of the flaws that could be exploited by remote attackers even without a password on the Oracle server. "Customers are now asking for information in a better format. They want some sort of objective score so they can tell which is the most important thing,'' said Darius Wiles, senior manager of Oracle Security Alerts
To date, wading through Oracle's security documentation has been a daunting task. The company's last round of patches, released on 18 July, contained 65 security patches, and figuring out the severity of each of these bugs involved interpreting "risk matrix" data from three separate risk categories, all provided by Oracle.
"The information has always been available in the risk matrix if you know how to interpret the data," Wiles said. "You can figure it out, but customers said they wanted a much simpler system where they could just run down through the list of vulnerabilities and have a 'yes' or 'no'."
The executive summaries will also make it easier for administrators to explain the severity of vulnerabilities to their supervisors, Wiles added. "Customers were looking for as short summary that they could pass up to management," he said. "They wanted something that Oracle had provided so they could just cut and paste its and say, 'These are the official Oracle words'."