Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Some updated links on my Oracle security papers page"] [Next entry: "reading redo logs - The hard way"]

Frank has a good post about security vulnerability reporting

I saw Franks post about vulnerability reporting last week and made a note to and read it when i had a chance. That chance came this evening. Franks post is titled - (broken link) General security: Security Vulnerability reporting. This post by Frank is very interesting and is based around an article "Security Vendor Pushes the Limits of Ethical Exploit Reporting" written on about a company called HexView.

As Frank says this paper is about HexViews policy of disclosing about a vulnerability (an MS Access issue in this case) 24 hours after it was reported to the vendor. Frank grows on to give some great insights based on the recent OWASP conference in London that he attended recently, particularly a keynote on terrorism he heard there. Frank talks in detail about the risks involved in reporting vulnerabilities, writing about them in public forums, writing further about exploits and explaining how they work.

There are some great insights and thoughts in this post. Read it!