[Previous entry: "Mary Ann speaks about security strategy"] [Next entry: "Why Protect Fort Knox Borders But Ignore The Gold?"]
Oracle has released a new security vulnerability fixing policy and process
November 3rd, 2005 by Pete
Post to del.icio.us
Post to Furl
Yesterday Oracle has released a new document "Security Vulnerability Fixing Policy and Process". This is significant as it sets out Oracle's stall on the process that they will use to fix security bugs and release patches. Read this document, it is enlightening. The document covers the critical patch updates, cumulative patches verses one-off patches, and the order of fixing security bugs - there is an example of product and patch release cycles with a diagram. The paper goes on to talk about critical patch update documentation and finally about the process for crediting researchers who find the security bugs. This is where Oracle is clear. If a researcher works with Oracle and does not publish the vulnerability before the fix is available and does not publish exact details of the bugs or exploits or proof of concepts then they will be credited. The paper goes on to justify the reasons for this new stance. Also employees or contractors will not be credited. This paper is worth reading for anyone who wants to understand Oracle's thoughts on fixing security bugs.
