Hacker News new | past | comments | ask | show | jobs | submit login

The crux of the article is that Oracle is getting so many unsolicited false positive security threat vulnerabilities that it's a distraction to their core business. They don't want "I found a hole in Oracle" to be an achievement like "I have my name on a patent."

Investigating security vulnerabilities takes a lot of time; and it's very easy to quickly get overwhelmed by false positives. I've seen quite a few analyses of code that I write; and most of them are warnings with no context or exploitability.

If every customer expected an engineer to respond to these, my team would spend all of its time in a "PR role," and wouldn't spend any time improving our products.




Well, except that, like most enterprise software customers, these customers pay Oracle huge sums of money in the form of support contracts specifically so they could have access to an engineering team. I could understand the argument if this wasn't the case, but a big part of enterprise agreements is this very thing, so I'm not very sympathetic to the argument that such a support ticket, which these companies paid a lot of money for, essentially is treated like a second class citizen because of the way the company decided to do security testing. If this support agreement weren't in place? Sure. I could easily see this argument.


I don't agree, we are talking luxury software here. oracle systems and contracts are the most expensive on the market, you should not feel any guilt for any contact with their gold plated support, and you could almost expect them to run warning free in most analysers, like you expect a Ferrari comes without any blemish in the paint, albeit it's a freaking car and the paint is not functional.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: