Oracle’s CSO, Mary Ann Davidson, provided a wonderful of example of how not to handle having your products reverse engineered.
Her original post has been removed, but there’s a copy of it on Scribd. It’s worth reading, if you haven’t seen it yet.
I think I get where she is coming from, on her original post. If people are using automated static analysis tools to report issues and either it isn’t actually a security issue or it’s something Oracle is already aware of and is working on, I can certainly understand how that might be a drain on their resources and their time could be better spent on finding real issues themselves.
That being said, I can’t believe that a company — especially one the size of Oracle — can think that the “Pay no attention to the man behind the curtain” approach is an effective strategy.
People are going to try to look at your code. Even if not your customers, the ‘bad guys’ certainly will. Taking a stance of “if there’s a security issue, we’ll find it on our own” isn’t helping anyone.
Ultimately, if someone running an automate tools or performing a basic static analysis is able to uncover actual issues in Oracle’s products, that’s stuff Oracle should have found on its own. If it’s mostly false-positives and duplicates that are the issue, Oracle isn’t doing a good job of clearly exposing that to their customers.
I like how Bugcrowd and similar services do it… Companies with a mature security program can define boundaries. There is a monetary incentive to follow the rules and proper procedures. Even if something happens to fall outside the scope of the bug bounty program, they are still likely to have the ability to work with the person to ensure the issue is validated and fixed within a reasonable amount of time.
The biggest downside I see with the current bug-bounty programs is that products not part of the bounty are probably worthwhile targets. The product might not get much attention internally and was simply forgotten about. A vendor might also not list it because they already know/suspect there are a lot of bugs in it. Either way, what isn’t part of a bug bounty program can sometimes be even more interesting than what is… At least if you don’t care about the rewards.
Hopefully Oracle will eventually shift more towards the bug bounty style. As it is now, it seems like they view it as purely an ‘us vs them’ approach. Where bug bounties really shine, though, is when the internal team is able to collaborate with external researchers.
I wonder how much (if any) competitive advantage the SQL Server platform has over Oracle, given the difference in how Microsoft handles the discovery and reporting of issues in their products versus Oracle. Maybe that could be a motivating factor for them to change their approach…