"Do not read the code to find vulnerabilities," Oracle's chief security officer deleted it in a hurry after posting the blog
Vulnerabilities of software and services are not only troublesome for users as well as for service providers, and rewards are often paid for indications about vulnerabilities. However, Oracle (Oracle) 's Chief Security Officer (CSO: Chief Security Officer) said in a blog that after "I should stop because reading code to find vulnerabilities is contrary to terms of service" I am deleting posts by hasty after receiving a storm of condemnation.
No, You Really Can not (Mary Ann Davidson Blog)
Oracle CSO goes against bug bounties and security researchers - Business Insider
The purpose of posting by Davidson CSO consists of the following three theories. It can not parse the code to see if the user can control attacks that the scanning tool makes a fuss about. "" Users can not create patches for vulnerabilities, it is the vendor (Oracle ) "Only" "Users are almost in violation of licenses by using tools to analyze source code".
It is Davidson CSO that launched such three principles and appealed customers to stop parsing code, but behind it is the fact that every day as it is done by customers who are posted to Oracle's security counterparts There are too many reminders for vulnerabilities and remedies, and there are security consultants who give advice on security to customers, and they use checking tools and analysis tools to check vulnerabilities There seems to be something that reverse to the terms of service as reverse engineering. In other words, it is illegal to check vulnerabilities using tools that violate the Terms of Service, so we should stop it.
Q & amp; A is also published in blog postings, and from that exchange you can understand the way of thinking of Davidson CSO somehow.
The security consultant hired by the customer does not agree with the terms of service?
What if Oracle actually has vulnerabilities?
Correct any vulnerabilities. Even if it points out vulnerability obtained by violation. We will protect all customers. That means that everyone gets fixed at the same time. Even if you point out the vulnerability, you can not receive special patches. I do not say thank you for breaking the license terms.
It is a suggestion. Why do not you give a bounty to your bug report?
"According to a well-known security countermeasure company, security researchers report vulnerabilities to 3% of the total, but 3% of them do not have lessons learned from hacking, I would like to employ as many people as I can handle.
Indeed there will be some malicious reverse engineering, but why do you also restrict the behavior of reporting vulnerabilities with good intentions?
However, according to the idea of Davidson CSO, it can be said that taking advantage of vulnerable software can cause damage to cybercrime and that the content is unfair It is clear. Rather, the existence of a third party that discovers and notifies the existence of vulnerabilities that software developers could not avoid at the development stage is inherently a collaborator as a software developer, It seems to me that it is safe to say that Debitson CSO, who convicts the existence of security consultants and users to discover vulnerabilities as "unwilling to go against the terms of service", has received great criticism.
Davidson CSO deleted blog posts in response to condemnation. About this correspondence, Oracle says, "The security of products and services is always critical to Oracle, Oracle has a robust program to ensure product security, ensuring the security of Oracle technology We collaborate with third parties and users.Davidson CSO's posting has not been reflected in our philosophy and relationship with customers, so we have deleted the official opinion. "