If you haven’t heard by now, several days ago Oracle Chief Security Officer Mary Ann Davidson used the corporate blog to go on a scriptural tirade. In her now-deleted post, Davidson went on the offensive towards bug bounty programs and any third-party poking into Oracle software.
“Please comply with your license agreement and stop reverse engineering our code, already,” wrote the CSO, who presumably reads all license agreements in their entirety before clicking ‘accept.’
Davidson goes on to make the following points:
- Customers can’t determine whether something they found is a false positive or not
- Only vendors can make a patch
- And how many times does she have to say you’re violating the license agreement
Naturally this yielded a strong response from the cybersecurity community. A response that makes one wonder if the post originated not with Davidson, but the Oracle marketing department.
Imagine it was planned out like this - first the post would go up from Davidson. Then it's taken down, and by now everyone is talking about it. Major press from Business Insider to Fortune to Ars Technica.
Next Oracle issues an apology. Edward Screven, Oracle’s Chief Corporate Architect, has already done so: “We removed the post, as it does not reflect our beliefs or our relationship with customers."
And finally, while Oracle still has the cybersecurity world’s ear, it’s the perfect time to say, “Despite what Davidson posted, Oracle believes in bug bounties. We’re announcing a bug bounty program.” A marketing move right out of the Ryan Holiday playbook.
Other massive firms see the value of bug bounty programs. One look at HackerOne and you’ll see offerings from Yahoo, Twitter, and Adobe. Microsoft recently raised its own reward to $100,000.
Bug bounties give whitehat operators worthwhile research to do during off-time. Plus it’s not hard to imagine they entice would-be blackhat operators too, preventing malicious acts and bad press.
On all sides of the ethical fence, many cybersecurity operators probably view the Davidson post as a challenge. Oracle can choose to utilize that constructively or await possible backlash.
The monetary cost of a bug reward is small compared to a breach. Those cost firms money and the trust of their customers.