These last two days the infosec community has been consumed by a blog post Oracle CSO Mary Ann Davidson wrote. In that post she railed against security researchers who reverse-engineer Oracle’s code and nudge the database giant with their vulnerability findings. (Oracle removed the post, but The Wayback Machine captured it and it’s been distributed far and wide anyway.)
Mood music:
Davidson argued that Oracle does just fine finding and fixing its vulnerabilities and that outsiders who butt in are messing with end-user license agreements and overall company sovereignty.
Having reported on Oracle vulnerabilities for years, I found her position flawed. I’ve seen time and again how researchers find flaws and Oracle leaves them unfixed, sometimes for years. That tells me the company doesn’t have a handle on its security problems. I also think it’s important that companies welcome the help of outside researchers. In the fight against the bad guys, companies can use all the help they can get. Google and Microsoft understand this, and their bug bounty programs enhance their overall security.
Oracle took the post down, saying it doesn’t accurately reflect the company’s view of customers. If you’re Davidson, that’s gotta sting. Her not responding to the criticism makes the situation worse. I suspect Oracle has muzzled her, and the company itself isn’t returning reporters’ calls. Not that the company has ever been good at returning calls. It was a closed-off culture when I was reporting on its security flaws a decade ago.
We can disagree with Davidson, but we should remain professional rather than stoop to childish taunts.
She forcefully argued her position, and the relationship between security researchers and tech companies is an important, ongoing topic. I’ve seen a lot of people criticizing her position respectfully, which is good. But I’ve also seen the usual vitriol-laced pile-on. Hundreds of people are ripping her to shreds, often doing so with the same amount of snark they criticized her for using in her post. With these debates people can get mean, and that’s too bad.
I’ve known Davidson for a long time. We haven’t always seen eye to eye, but she’s a good, intelligent person and I respect her a lot. It’s sad to see her character unnecessarily killed in an online, public execution.
I hope she gets through this. I suspect she will.
Finally, it’s worth noting that those of us who write are always going to get it wrong from time to time. I’ve had my share of stinkers. We’re all human and emotion does funny things to the brain. That’s what I’m trying to keep in mind during this latest infosec firestorm.
Disagreement is good. But when you remove kindness, it turns to poison.
An old friend told me once: “Criticism without compassion is brutality.”