Thursday Aug 25, 2011

I’m a customer, and I found a security vulnerability in an Oracle product, what should I do?

Open a Service Request with Oracle Support, as for any other product issue. Please do not log several vulnerabilities under one SR, as this would imply additional triage and could introduce delays. One vulnerability => One SR. Make sure to explicitly state in the SR that you consider the issue to be a security vulnerability, and attach the appropriate steps to reproduce, or a Proof or Concept.

As a simple example, a typical proof of concept for a cross site scripting vulnerability (XSS) would be the steps showing that a Javascript Alert() can be executed by an attacker on a user browser.

Oracle Support will not consider or comment about undemonstrated security vulnerabilities, or scanning software output alone, although these can be provided as additional information.

In a nutshell, the key to an efficient resolution of your issue is:

- create a SR as usual,

- visibly state “security vulnerability” in the SR,

- attach clear and unambiguous steps to reproduce.

Your issue will then be treated by a Support Analyst trained with handling security issues. The Support Analyst will help you find and apply a solution, if it already exists, or forward the SR as a bug to Oracle Development, who will issue a fix according to Oracle Policies.

Read all about Oracle Software Security Assurance here: