From Oracle's Chief Security Officer: one of the finest marketing posts for free software I've seen in 2015

David Gerard dgerard at
Tue Aug 11 19:10:24 UTC 2015

On 11 August 2015 at 20:00, Alessandro Rubini <rubini at> wrote:

> But most likely I didn't get the point about this post. Can you please
> expand?

Hmm, you're the only person so far I know of who hasn't reacted in shock.

* The attitude of security by obscurity, as if telling your customers
"don't look!" stops the black hats for a second.
* Don't look for security holes in Oracle, it's a violation of your license.
* If you find security holes, don't tell us, it's a violation of your
license to have looked and we will send a legal notice telling you to
throw away the information.
* It is true that someone found a pile of actual security holes, but
we were totally going to fix them, honest! Some time or other.
* The tone of contempt for the customer, daring to look and ascertain
their own security risk.

This is precisely why we need software freedom.

As a sysadmin, I was shocked that a vendor with a high-quality free
software alternative would write something like this that makes them
look *utterly incompetent* in the field of security.

Reactions on Hacker News:

Someone immediately found an XSS on Oracle's site:

Oracle's database software is very good indeed - it gives your data
back reliably and with fantastic performance. The problem is literally
every other aspect of dealing with Oracle ...

- d.

More information about the Discussion mailing list