Tuesday, August 11, 2015

Please, security test our code!

Since Oracle was so nice as to remind everyone what software security is really like with closed-source software, I wanted to remind people how finding and reporting security issues works in PostgreSQL:
  1. Feel free to "reverse engineer" the code.  In fact, here it is on github if you want to scrutinize it.
  2. We generally credit security researchers who find real security holes (with limitations for duplicates, etc.).  Over the last few years, some of the most critical bugs in PostgreSQL were found by professional security researchers doing things like fuzz testing.
  3. If you think you've found a security issue, please report it to security@postgresql.org. If it turns out to be a non-issue, we'll tell you, and you can report it as a regular bug.
  4. Be prepared to answer questions about your report.  We showed you our code, you can show us yours.
Our open approach to security is the reason why PostgreSQL was rated by the Database Hacker's Handbook as "the most secure by default": more secure than Oracle.  And why for five Defcons in a row, security hackers have been unable to crack PostgreSQL in the annual Schemaverse competition.

And please ... update your servers! We send out those incremental updates for a reason, and often as not, there are security patches.   More information on our Security Page.

Note: the above is my personal opinion and is not the opinion of The PostgreSQL Project or any other organization.


  1. The ars technica article is a hoot. So Oracle security == just believe us. Oh by the way if you don't and find we are not as secure as we say, then we will throw lawyers at you. Inspires confidence:)

    1. See Oracle's org chart: http://www.bonkersworld.net/organizational-charts/

  2. Oracle SUCKS! ;), I mean she has some points about those reports probably contain a lot of FUD (ever seen a PCI compliance report on a RHEL system?) and these days those big hacks, well... where's my TShirt? Everyone has security issues, and anti reverse engineering clauses are dumb (btw, the time I installed oracle on Gentoo? for class, was that reverse engineering? it's not supported). They are not a good way to protect your Intellectual Monopoly.

  3. Oracle claims that 90% of bugs were not found by customers.

    So 10% of the security issues were findable even without any source code or hint about problems being there? What does that say exactly? Your highly trained engineers with clear vision over the code can only outperform blindfolded externals with no interest in finding bugs at a rate of 9:1 ?

    I'll go for Postgres any day.

  4. Please provide a method for *secure* disclosure (encrypted email).

    1. For right now, the method is:

      1. email security@postgresql.org with a request for secure send.

      2. one of the security hackers will get back to you with a GPG key.

      I agree that it would be good to have something more automatic, but this doesn't actually come up that often.