Security Researcher Nixes 'Week Of Oracle Database Bugs'


Buenos Aires-based Argeniss Information Security last week unveiled a campaign designed to flag security holes in Oracle's database software. Under the Week of Oracle Database Bugs program, Argeniss planned to publish information on undisclosed Oracle flaws each day for a week in December.

However, according to a Wednesday post on the Argeniss Web site, the security firm decided to suspend the Week of Oracle Database Bugs effort.

"We are sad to announce that, due to many problems, the Week of Oracle Database Bugs gets suspended," the post said.

In a Monday post on its Global Product Security blog, Oracle condemned the practice of releasing vulnerabilities without notifying the affected vendor and said it would not credit researchers who use that tactic.

Sponsored post

"We consider such practices, including disclosing 'zero day' exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack," said Eric Maurice, security manager in Oracle's Global Technology business unit, in the blog post.

Programs such as the Week of Oracle Database Bugs won't have the desired effect of getting Oracle to pay more attention to the security of its products, according to David Litchfield, managing director of U.K.-based Next Generation Security Software. "I think they already know they need to improve things in terms of unfixed bugs and the time it takes, but they will move at their own pace and won't be cowed by such things," he said.

Still, Oracle has been letting its customers down with its quarterly Critical Patch Updates, Litchfield added. "Late patches and patches being reissued several times are indicative of the disorganization of the Oracle security response processes, and this is the most important issue they need to solve," he said.

With the release of Oracle's October Critical Patch Update, security researchers criticized the Redwood Shores, Calif., software giant for downplaying vulnerabilities and suggested that the vendor published skewed scores using the Common Vulnerability Scoring System (CVSS), an emerging standard for rating the severity of security flaws.