A security researcher who’s reported 70 flaws in Oracle’s Java software says its CSO’s claim that researchers only find three percent of the company’s software bugs is bogus. However, Oracle stands by the claim.
Oracle swiftly took down a controversial blog by its CSO Mary Ann Davidson since it didn’t reflect its relationship with customers, but the company stands by her claim that external security researchers’ contribution to the bugs it fixes are marginal.
Adam Gowdiak, CEO of Security Explorations, offered the latest barb directed at Oracle after Davidson belittled the work of security researchers.
In a post on Full Disclosure today, Gowdiak questioned Davidson’s claim that external researchers only contribute three percent to the total number of bugs Oracle has fixed, while Oracle internally found 87 percent and customers found 10 percent.
Gowdiak joined a chorus of security researchers, including ERPSoftware and countless others, who’ve contributed to Oracle’s security and spoken up against Davidson’s post, which told customers and researchers to stop breaching its license terms by reverse engineering Oracle’s software. She said they were wasting Oracle’s time with reports that often turned out to be "false positives" -- alarms when one shouldn’t be raised.
Security Explorations and Gowdiak however aren't in the business of supplying false positives to Oracle and, as Gowdiak stressed to CSO Australia, it always provides Oracle with working proof of concepts that illustrate how the bugs it reports work. Gowdiak has been credited with finding 71 bugs in Java SE, and dozens more in Oracle’s Java Cloud, Java components in Google’s cloud, and Database Java VM.
Davidson didn’t explain how she concluded that researchers like Gowdiak only contributed 3 percent to all of Oracle’s bug fixes, but his analysis of Oracle’s Critical Patch Updates (CPUs) and Java updates over the past three years shows that researchers play a far more significant role in securing Oracle’s products than the figure suggests.
Gowdiak reviewed 23 of Oracle’s quarterly CPUs and 12 Java SE updates since 2010, and found that 22 percent of 2,210 bugs in Oracle CPUs were credited to third parties while 38 percent of Java SE bugs were found outside of Oracle.
He offered that Oracle’s numbers could be real on the assumption that the 87 percent of bugs attributed to Oracle were silently fixed or have not been fixed yet. The numbers could also be bogus, he added.
But, according to Oracle, Davidson’s numbers aren’t bogus and it seems Gowdiak’s guess that she included bugs that were silently fixed was right.
In a statement to CSO Australia, an Oracle spokeswoman explained that her figures included many fixes found through internal testing, which don’t show up in its CPUs.
“The majority of security bugs are found through internal testing and fixed in the normal course of development. Much of that activity is not visible outside Oracle,” the spokeswoman said.
“In particular, many internally found and fixed security bugs are not reported through Oracle's CPU process. Therefore, it is not possible for Adam Gowdiak or other parties outside Oracle to calculate the fraction of security bugs found and reported by customers and researchers.”
Gowdiak might not be able to work out how much researchers truly contribute to Oracle’s overall bug fixes, but he’s got a point on another count: Davidson and Oracle show little respect to researchers who help keep its customers safe.
Unlike Adobe, Apple, Google, Microsoft, and Sun (Java’s owner before Oracle acquired the company) which do link researchers to each bug that’s been assigned a Common Vulnerabilities and Exposure (CVE) identifier, Oracle only mentions the names of bug reporters in a general “credit statement” that doesn’t assign each specific bug to the researcher. In other words, a researcher who found seven bugs Oracle’s CPU or Java updates receives implied credit for a maximum of one bug.
“[Vendors] usually accompany a given CVE id with a name of the organization or researcher that is responsible for discovering a given issue,” said Gowdiak.
Google and Microsoft additionally pay researchers for reporting the bugs; all Gowdiak has petitioned Oracle for is proper credit where credit is due.
“We believed that such a credit statement shows much more respect towards security researchers than the one in use by Oracle — just a bunch of names included in a paragraph — and allows different vulnerability database maintainers (DBs) an accurate update of their DBs with credit related information,” said Gowdiak.
Again, countering Davidson’s suggestion researchers mean little to its security program, Gowdiak points out that her figure of 87 percent internally found bugs would be absurd if it was based on CPUs, translating to Oracle finding a whopping 17,000 bugs in 5.5 years.
“This would also mean that Oracle is indeed a true leader when it comes to nixing security vulnerabilities in software and that it does not have a match in the whole industry (17000 vulnerabilities is twice as much as all vulnerability IDs in CVE database corresponding to Microsoft, IBM, HP and Apple issues combined together),” wrote Gowdiak.
Oracle didn’t respond to CSO Australia’s question about this issue.
As for Davidson’s recommendation that customers ensure “the usual security hygiene” — such as patching systems and using data encryption — the researcher highlighted Oracle’s imperfect record on this count. In recent years, he’s caught Oracle using a two year old version of Java SE in its US and European cloud facilities, storing credentials and passwords in the clear in a European data centre, and risking the security of its users by sending out vulnerability status reports for zero-day bugs to researchers in plain text.
Want to know more?
Why not become a CSO member and subscribe to CSO's mailing list.
Get newsletters, updates, events and more right here