From Oracle's Chief Security Officer: one of the finest marketing posts for free software I've seen in 2015

Florian Weimer fw at deneb.enyo.de
Sun Aug 23 12:48:32 UTC 2015


* David Gerard:

> On 23 August 2015 at 12:32, Florian Weimer <fw at deneb.enyo.de> wrote:
>
>> The blog post is pretty reasonable if you combine the Oracle mindset
>> with the things that some people report as vulnerabilities.  I totally
>> get why she just wants to Make It Stop (because of those reports), and
>> the way she picks contracts/licenses (because of Oracle).
>
>
> "Don't send us automated vulnerability reports, they're not at all
> helpful" is the one sensible bit of the post, yes.
>
> The license argument, however, is abject stupidity as security advice,
> and an excellent argument for software freedom.

It's probably still true.  I don't think there is a reverse
engineering exception for security research.  Whether you have to
publicly rub it into the face of your customers is a different story,
of course.

> C-level executives are people who are empowered to do as they wish.
> Who could tell her no before the fact? No-one, evidently.

At most organizations, the blog software does.  Usually, before
anything gets out, it is proofread for typos and legal issues.

This does not mean that the executive does not have the final say when
it comes to publication, but one can hope that along the process,
someone points out the potential backlash, especially if it is as
obvious as in this case.

> It's a balance, though. The reason for full disclosure of 0-day
> vulnerabilities is a long history of vendors lying, covering up and
> legally suppressing serious problems against their customers'
> interests.

My own experience is that it does not matter how transparent you are,
or what your past track record was.  When reporters feel like it, they
will throw in front of the next-best bus.  They even disregard their
*own* policies.

These people are really smart and creative, and they often behave in
ways such people generally do.



More information about the Discussion mailing list