A bug hunter who had promised to disclose one zero-day bug in Oracle databases every day for a whole week in December has abruptly canceled his plans to do so.
In a brief note posted on his company's website, Cesar Cerrudo, founder of Buenos Aires-based Argeniss Information Security, says he had suspended his plans for a week of Oracle Database bugs "due to many problems."
Cerrudo apologises to those who had contributed to the project, but offers no explanation for his decision to cancel the initiative, which was announced only last week.
In an emailed comment, Cerrudo says he is "sad and angry" about the decision, but he adds that he prefers not to comment any further because he doesn't want to cause "more problems."
In the original note announcing his plans, Cerrudo said his effort was inspired by a similar Month of Browser Bugs and Month of Kernel Bugs announced earlier this year by other independent vulnerability researchers.
"We want to show the current state of Oracle software (in)security (sic)," Cerrudo said in his note. "We want to demonstrate Oracle isn't getting any better at securing its products."
The note went on to add that Argeniss could do a Year of Oracle Database bugs if it chose to. "But we think a week is enough to show how flawed Oracle software is," he had said.
Zero-day flaws are those for which no patches are available from the vendor. Publicly disclosing the details of such flaws before vendors have had a chance to address the problems is generally frowned upon in the industry. The practice has added to the considerable friction that already exists between vulnerability researchers and software vendors.
Last year, for instance, database vendor Sybase threatened to sue Surrey, England-based Next Generation Security Software (NGSS) over the latter company's plans to publicly release the details of eight holes it had found in Sybase software. In that case, NGSS had already informed Sybase about the holes, and Sybase had already issued patches for them. Even so, Sybase objected to the release of what it considered to be overly specific details of how to exploit the flaws.
Another vendor involved in a similar dispute was Cisco Systems, which last year sought a federal injunction to stop an independent vulnerability researcher from spreading information on how to hack a Cisco router.
There's nothing to show that Oracle may have influenced Cerrudo's decision in the latest instance. But an Oracle blog post notes a "flurry of articles and blog entries" about Oracle security in recent days and criticises security researchers who disclose the existence of zero-day bugs before a fix is available.
"We consider such practices, including disclosing 'zero-day' exploits, to be irresponsible as they can result in needlessly exposing customers to risk of attack," the blog notes without citing any researchers by name. The blog adds that Oracle closely monitors the publication of such zero-day flaw information to see whether it poses a realistic threat to customers and, if need be, to issue a patch if it does.
"Ultimately, we seek to work with security researchers as partners for the purpose of making our products more secure," the blog says. "But we do not contract security researchers for competitive research, or for the main purpose of placing them under a contractual 'obligation of silence.'"