Patch/Configuration Management, Vulnerability Management

Argentine firm scraps Oracle flaw-a-day plans

A security services firm's plan to post an Oracle vulnerability each day for a week has been scrapped over fears the database giant might cut off ties with the firm's customers.

Argentina-based Argeniss had planned The Week of Oracle Database Bugs (WoODB), modeled after H.D. Moore's Month of Browser Bugs and LMH's Month of Kernel Bugs initiatives.

The endeavor was meant to criticize Oracle's security stance by publicly disclosing seven holes in Oracle Database solutions.

But the idea was scratched after discussions with Argeniss determined one of its customers could be negatively affected, company founder and CEO Cesar Cerrudo told today via instant messenger.

"It could cause business problems to this partner, and I will never allow that to happen to any customers of (ours)," he said. "A thing like WoODB is very controversial. Some people agree with it. Some people don't."

When asked to elaborate, Cerrudo said that publicly posting zero-day flaws in Oracle products might lead to a backlash for Argeniss customers.

"Let's say my customer is in business with Oracle," he said. "So I publish Oracle vulnerabilities (and) Oracle will get mad (at) my customer because Oracle knows my customer works with me."

Regardless of his decision to cancel WoODB, Cerrudo said Oracle is not serious when it comes to security, adding that his firm could publish more than 50 unpatched vulnerabilities.

"Oracle software is very insecure," he said. "They don't listen to anyone and they say they were improving security, which is not true because if you look at current Oracle software. You can find many vulnerabilities in 10 minutes."

An Oracle spokesperson could not be reached for comment today.

In October, Oracle released 101 fixes, marking its largest critical patch update (CPU) in more than a year.

The WoODB plan met opposition from the start.

Critics had said the project would not serve much good as Oracle issues quarterly fixes, meaning the next patch release would not address the bugs until Jan. 16 or, more likely April 17 of next year.

Click here to email Dan Kaplan.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.