Oracle has hit out at security researchers for disclosing software flaws before companies have prepared fixes for them.
The long-standing tension between software vendors and researchers blew out into the open on the blog of Eric Maurice, Oracle's security manager. Maurice said Oracle wouldn't let external perceptions drive its software security policies and that it would continue to prioritise vulnerabilities based on their criticality and not on who had discovered them.
He blasted security researchers who disclose so-called zero-day flaws before vendors make fixes for them. "We consider such practices to be irresponsible, as they can result in needlessly exposing customers to risk of attack," Maurice wrote. The blog post was an apparent response to what Maurice described as "a flurry of articles and blog entries" about Oracle security issues.
That flurry had some basis however. Next Generation Security Software released a study showing that Oracle's databases have had far more vulnerabilities than Microsoft's SQL Server has had over the past six years. Meanwhile, a security researcher in Argentina announced - then abruptly cancelled - plans to release information about an Oracle zero-day flaw every day for one week in December.
Cesar Cerrudo, founder of Argeniss wouldn't explain why he dropped the bug-disclosure plans. But he defended the work done by security researchers and said vendors should be more concerned about "responsible software development" than about proper vulnerability disclosure practices. "Vendors are used to researchers playing nice," he wrote. "The situation should change. Research costs thousands of dollars, and right now vendors are getting [it for] free."
HD Moore, founder of the controversial Metasploit Project, which releases vulnerability information and tool kits for writing attack code, rebutted the notion that such initiatives only benefit malicious hackers. The information made available by Metasploit "puts the good guys on equal footing with the folks who already have the skill to launch these types of attacks," Moore said.