Oracle Zero-Day Flaw Project Cancelled 61
Benny Folds writes "Cesar Cerrudo of Argeniss has suddenly cancelled plans to release daily zero-day flaws in Oracle databases during the first week in December. Just days before the project was due to start, Cerrudo announced that 'due to many problems,' the WoODB (Week of Oracle Database Bugs) is being scrapped. He did not elaborate on the reasons for the cancellation."
Re:LOL (Score:4, Insightful)
Re:LOL (Score:2, Insightful)
It may surprise you to learn that some of us pay security consultancies to find bugs in software we use [siebel.com]. I don't really care if they then spray them all over milw0rm [milw0rm.org] or keep them quiet for use in their next pen-test; I can make an informed decision on whether to use it, and if so, what sort of controls to include to cover the risk.
Two words.... (Score:3, Insightful)
Re:LOL (Score:3, Insightful)
2. Request 0 day vulnerabilities from everyone for an event
3. Get threatened with litigation
4. Cancel Event
"[We] do not credit security researchers who disclose the existence of vulnerabilities before a fix is available. We consider such practices, including disclosing "zero day" exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack ", Eric Maurice
"Oracle might have caught a break with Cerrudo but the upcoming release of a hacking handbook by database security guru David Litchfield
Oracle (Score:5, Insightful)
Unbreakable when in court (Score:2, Insightful)
It's not as if database hacking isn't still the easiest way to compromise a server.
The DBA's are angry about 0-day exploits being released as they don't want to do what they are payed for: Keep the server current.
Oracle is angry because it makes them look worse as their competition, which is maybe even true. Hey... the database is vastly known for its complexity and we techies all know how much security and complexity like one another.
Finding 7 non exposed oracle security bugs is not even a challenge!
--
Wil