Is this truly a case of Oracle's people being terrible to deal with when
it comes to security research and response, or is it more toward the
corporate culture that may influence how quickly the organization
responds to issues? I could contend the same thing for several
enterprise software and security software/hardware vendors presently in
the IT space. A culture of trusted advisory and responsiveness to end
users just doesn't *seem* to be on the "Top 5 Initiatives" list. Again,
my assertion goes back to failure to have received a logical response to
the question, "How long is too long to fix your stuff?" Martin has
highlighted some excellent points from what may be a vendor perspective,
however, those points do not necessarily help resolve this issue.
Regards,
valkyrie
Byron Sonne wrote:
This isn't picking on Oracle, this is true for all vulnerabilities in
widely used publicly available products.
Oracle *should* be picked on though: they're terrible people to deal
with when it comes to security research.
---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/
The Web Security Mailing List Archives
http://www.webappsec.org/lists/websecurity/archive/
-------------------------------------------------------------------------
This List Sponsored by: Watchfire
Watchfire's AppScan is the industry's first and leading web application
security testing suite, and the only solution to provide comprehensive
remediation tasks at every level of the application. See for yourself.
Download AppScan 6.0 today.
https://www.watchfire.com/securearea/appscansix.aspx?id=701300000003Ssh
--------------------------------------------------------------------------
