Oracle pulls CSO's reverse engineering and bug bounty programme rant

Oracle CSO Mary Ann Davidson penned a blog post on Monday and warned researchers they would receive a legal letter if they continued to reverse engineer the company's code.

Oracle pulls CSO's reverse engineering and bug bounty programme rant
Oracle pulls CSO's reverse engineering and bug bounty programme rant

Oracle CSO Mary Ann Davidson penned a company blog past on Monday, in what many cybersecurity experts and researchers saw as a direct attack on their work. After swift blowback from readers, the company pulled her entry, but not quickly enough to spare it from Google's cache.

Titled “No, You Really Can't,” the post delves into Davidson's frustrations with customers hiring outside consultants to reverse engineer Oracle's code. 

“I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems,” Davidson wrote. She continued to write that security practices, including encrypting sensitive data and “applying relevant patches” would be a better use of resources.

Davidson, who sits on SC Magazine's editorial board, added, “And in fact, there are a lot of data breaches that would be prevented by doing all that stuff, as unsexy as it is, instead of hyperventilating that the Big Bad Advanced Persistent Threat using a zero-day is out to get me! Whether you are running your own IT show or a cloud provider is running it for you, there are a host of good security practices that are well worth doing.”

She noted that her employer deploys its own tests, and any reverse engineering goes against customers' contracts. If they do choose to pursue independent tests and report the results to Oracle, they will receive a letter instructing them to cease and desist all testing and also “destroy the results of such reverse engineering and confirm they have done so,” in Davidson's words.

Davidson's post hit not only on penetration testing but also bug bounty programs. Calling them the “new boy band,” the company's CSO wrote that most of its products' vulnerabilities are found by its own employees, not outside researchers.

“I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on,” she wrote.

Twitter reactions abound, most researchers weren't exactly surprised at the post's core thesis.

“It is very bold of Oracle to show its true colors, even for a moment,” tweeted Robert Imhoff-Dousharm, a cybersecurity professional. “They confirm publicly what many experience individually.”

Another pro, Gunter Ollmann, tweeted: “Maybe now's the time for @oracle to shed its stagnant and dated view on software security. Bring in a CSO of today's generation.”

Researcher Christopher Boyd also chimed in via the social media channel: “Grats to @Oracle for making a blogpost go sideways faster than any plane hacker ever could.”

Saying the post “does not reflect our beliefs or our relationship with our customers,” Oracle and its Executive Vice President and Chief Corporate Architect Edward Screven said, in an emailed statement to SCMagazine.com, the company “has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure.”

The company didn't elaborate on who initially approved the post.

This article was first published by our sister publication SC Magazine.

Chris Wysopal, CTO and CISO Veracode emailed SCMagazineUK.com to comment: “We now rely on software for everything - health, safety and wellbeing - and crafting a policy of ‘see something, say nothing' puts us all at risk.

"Application security is an enormous software supply chain issue for both enterprises and software vendors because we all rely on software provided by others. Vendors need to be responsive to their customers' valid requests for assurance, and to security researchers who are trying to make the software we all consume better. Leaders in the industry – Google, Apple, Microsoft, Adobe – all encourage third-party code audits and bug bounty programmes as a valuable extension of their own security processes.

"Discouraging customers from reporting vulnerabilities or telling them they are violating licence agreements by reverse engineering code, is an attempt to turn back the progress made to improve software security.”

Sign up to our newsletters