Computerworld just ran a down and dirty discussion with Duncan Harris, vulnerability and patch guy over at Oracle. In the past, I've been critical of Oracle's approach to patching their applications - particularly in light of opinions published by David Litchfield and others. After reading this, I'm even more critical. Take a look at some of the responses, like here where Duncan explains how well they do (or do not) work with security researchers; note the thinly-veiled attack on publicly-minded researchers:
In terms of working with the security community, we work very well with those that are happy to abide by the security vulnerability handling processes, which we have published on our Web site for anyone to see. There are others who for their own good reasons choose to pressure us and put our customers at risk by a partial or early or zero-day disclosure of vulnerabilities in Oracle products. I assume that is part of their marketing method to potentially increase their consulting business.
Interesting. Just for the record, the published process (found here) does not specify a time window for when vulnerabilities will be addressed by Oracle. The process does not specify what communication (if any) will take place between Oracle and the researcher. The process does not define any mechanism for testing fixes with the researcher, for putting developers in touch with the researcher, for notifying the researcher of the priority of the vulnerability, for providing the researcher with updates on the process, or even for tipping the researcher off when the patch is ultimately released. In fact, the only thing the process does say is that Oracle will fix the problem - eventually per its own timetable - and that the researcher should basically shut up about it in the meantime. From what we are told by researchers who work with Oracle, the "cone of silence" that is the vulnerability reporting process at Oracle can leave a vulnerability researcher scratching their head for months or even years.
Let's walk through a hypothetical scenario. If a researcher were to identify dozens of critical security flaws in Oracle products and report them to Oracle, they would write them up and submit them into the Oracle process. Oracle will assign each issue a priority - which they do not have to apprise the researcher of (in fact, it is in Oracle's best interest not to apprise the researcher of the priority.) At this point, the researcher has no guarantee of when those problems might get fixed. Since Oracle acknowledges that patches can take up to 800 days (Duncan mentioned the "three year bug" in his second response on page 2) and since the Oracle process does not include provisions for notification to the researcher, it could be years before the researcher hears anything one way or the other about what they reported. A publicly-minded researcher might grow frustrated with the process after a long period of time - say 6 months or so - where Oracle has not acted; particularly so when patches are published that do not address the problem in the interim. A well-meaning researcher might want to put pressure on Oracle to take action and remove the security risk from Oracle customers; they might see Oracle's failure to act as directly putting individuals in danger as well: increasing their risk of being victims of identity theft, fraud, or embarassment. What (if any) recourse does a researcher have? Only one - notification to the public.
Look, I'm not saying that Dave's a bastion of truth and justice or anything like that. However, I do think it takes a sackfull of Chutzpah to make the claim that his motivation is "increasing his consulting business". Despite what Duncan would have you believe, most vulnerability research pays nothing - in the case of David Litchfield specifically, he does have services that he offers, but do those services increase in value the more bugs he finds in Oracle products? I personally doubt it, and the assertion isn't something I would accept without evidence (especially from an Oracle mouthpiece) anyway.
What concerns me is that between these comments and Mary Ann's previous rant stating that security researchers are a problematic bunch, I think there's a cultural problem at Oracle; specifically, I think there is evidence of a culture of resistance against external security researchers. Just for comparison, take a look at Oracle's vulnerability process, compare it with Microsoft's , and tell me again why Microsoft is the security pariah?
Posted by Ed at January 23, 2006 10:43 AM