Call: +44 (0)1904 557620 Call

Pete Finnigan's Oracle Security Weblog

This is the weblog for Pete Finnigan. Pete works in the area of Oracle security and he specialises in auditing Oracle databases for security issues. This weblog is aimed squarely at those interested in the security of their Oracle databases.

[Previous entry: "Mary Ann speaks about security strategy"] [Next entry: "Why Protect Fort Knox Borders But Ignore The Gold?"]

Oracle has released a new security vulnerability fixing policy and process

Yesterday Oracle has released a new document "Security Vulnerability Fixing Policy and Process". This is significant as it sets out Oracle's stall on the process that they will use to fix security bugs and release patches. Read this document, it is enlightening. The document covers the critical patch updates, cumulative patches verses one-off patches, and the order of fixing security bugs - there is an example of product and patch release cycles with a diagram. The paper goes on to talk about critical patch update documentation and finally about the process for crediting researchers who find the security bugs. This is where Oracle is clear. If a researcher works with Oracle and does not publish the vulnerability before the fix is available and does not publish exact details of the bugs or exploits or proof of concepts then they will be credited. The paper goes on to justify the reasons for this new stance. Also employees or contractors will not be credited. This paper is worth reading for anyone who wants to understand Oracle's thoughts on fixing security bugs.