Wednesday, November 29, 2006

Researcher Cancels Week of Oracle Database Bugs

Via Vnunet.com -

Security researcher Ceasar Cerrudo, with the Argentinean security vendor Argeniss, has abandoned his plan for 'a week of Oracle Database Bugs'.

The security vendor was originally planning to release details of an unpatched vulnerability in the Oracle database every day for a period of one week. The event was intended to demonstrate the poor level of security in Oracle's database.

"We have 0-days [zero-day bugs] for all database software vendors but Oracle is "The #1 Star" when talking about lots of unpatched vulnerabilities and not caring about security," the company originally said on its website.

The
page was updated on Tuesday. The original text was struck out and above it a notice explained that the event was suspended "due to many problems". The company declined to comment further.

Publishing details of security vulnerabilities before a vendor has released a patch is considered not-done in the security sector because it can put end users at risk.

Late on Monday Oracle published a posting on its
security blog lashing out against researchers who published details of so-called 0-day vulnerabilities. The vendor also said that it won't credit researchers in the patch documentation if they prematurely disclose vulnerability details of the flaws they discover. Security researchers generally rely on company credits to market their skills.

Although the posting did not mention Argeniss, it claims to respond to "a flurry of articles and blog entries".

No comments:

Post a Comment