[Previous entry: "A new paper on Oracle database passwords"] [Next entry: "Mark Coleman talks about Oracle and SOX compliance"]
Alex has added days to fix to his Oracle security advisories
April 27th, 2005 by Pete
Post to del.icio.us
Post to Furl
I just got an interesting email from Alex to say that he has added the number of days it took Oracle to fix each of the bugs he has Published Security Alerts for.
The note at the top of the page state:
"Oracle is really slow in fixing security issues. For our security issues it takes 356 days until Oracle provided a fix for the reported issues. Many issues were fixed without informing their customers"
This figure of 356 days I think refers to either those advisories with no specific number of days to fix or it could be an average (Alex?)
The worse figure quoted by Alex is 656 days for the bug Buffer Overflow in Create Database Link in Oracle8i - 9i. This is not really on!, why should it take almost 2 years to fix a bug in any software, especially a security bug.
Finally on Alex's Upcoming Security Alerts page there are no figures of days to fix, as they are not fixed yet but it does not need too much math skill to see that there are quite a few reported in 2003, the earliest July 2003.
Oracle has made great advances with their advisories content. I hope that they will improve on the number of days to fix security bugs as well.
