If you take apart Oracle's software and find a hackable vulnerability, don't tell the company. Or at least not its chief security officer.
"If you are trying to get the code in a different form from the way we shipped it to you...you are probably reverse engineering," writes Oracle CSO Mary Ann Davidson. "Don’t. Just – don’t. "
That, in short, is the message of a nearly 3,000-word rant Oracle Chief Security Officer Mary Ann Davidson wrote on her company blog yesterday. The post was deleted sometime before Tuesday morning, but is still visible on the Internet Archive. Davidson rails against customers who report bugs to the company, and complains that she's increasingly having to write responses to them telling them to stop violating their license agreement, which forbids the reverse engineering of their software.
"Recently, I have seen a large-ish uptick in customers reverse engineering our code to attempt to find security vulnerabilities in it. " she writes. "This is why I’ve been writing a lot of letters to customers that start with 'hi, howzit, aloha' but end with 'please comply with your license agreement and stop reverse engineering our code, already.'"
The post set off an immediate firestorm in the security industry, which—aside from Oracle—has increasingly adopted a friendly attitude toward reverse engineers and benign hackers. Standard practice for a company that receives a report of a new vulnerability in their software, a so-called "zero-day" bug, is to credit the researcher or even pay a "bug bounty" monetary reward. Practically every major tech company from Google to Microsoft, and increasingly other companies from United Airlines to Tesla, now run some version of those reward programs.
Davidson, who has a long history of adversarial relationships with security researchers, took a harshly opposite tone. "We will also not provide credit in any advisories we might issue," she wrote. "You can’t really expect us to say 'thank you for breaking the license agreement.'"
Oracle vice president Edward Screven explained the post's deletion in a statement to WIRED Tuesday afternoon. “The security of our products and services has always been critically important to Oracle," Screven writes. "Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”1
Despite that pseudo-apology, here are a few of the response tweets from the security community, many of which excoriate Oracle for rejecting free security advice and make the undeniable point that the company's real enemies—nation-state hackers and cybercriminals—won't abide by Oracle's draconian prohibition on reverse engineering.
X content
This content can also be viewed on the site it originates from.
X content
This content can also be viewed on the site it originates from.
X content
This content can also be viewed on the site it originates from.
X content
This content can also be viewed on the site it originates from.
1Updated 3pm EST with a comment from Oracle explaining the post's deletion.
