Last night Oracle’s CSO Mary Ann Davidson wrote a blog post that described a negative stance on external security research and bug bounties specifically.
The post was taken down sometime this morning but you can read the archive here.
I’ll particularly highlight the Bug Bounty section:
Q. Hey, I’ve got an idea, why not do a bug bounty? Pay third parties to find this stuff!
A. Bug bounties are the new boy band (nicely alliterative, no?) Many companies are screaming, fainting, and throwing underwear at security researchers**** to find problems in their code and insisting that This Is The Way, Walk In It: if you are not doing bug bounties, your code isn’t secure. Ah, well, we find 87% of security vulnerabilities ourselves, security researchers find about 3% and the rest are found by customers. (Small digression: I was busting my buttons today when I found out that a well-known security researcher in a particular area of technology reported a bunch of alleged security issues to us except – we had already found all of them and we were already working on or had fixes. Woo hoo!)
I am not dissing bug bounties, just noting that on a strictly economic basis, why would I throw a lot of money at 3% of the problem (and without learning lessons from what you find, it really is “whack a code mole”) when I could spend that money on better prevention like, oh, hiring another employee to do ethical hacking, who could develop a really good tool we use to automate finding certain types of issues, and so on. This is one of those “full immersion baptism” or “sprinkle water over the forehead” issues – we will allow for different religious traditions and do it OUR way – and others can do it THEIR way. Pax vobiscum.
Let me also say: The security research community, both friendly and adversarial, doesn’t have a concept of “No, You Really Can’t” – The title of Mary Ann Davidson’s post. They challenge assumptions and find out how things actually work, as opposed to how they are supposed to work.This feature is precisely what makes the good guys valuable, and the bad guys particularly scary.
What are your thoughts on Mary’s post? How do you think Oracle could better handle their approach to security testing by customers and external consultants?