- Feel free to "reverse engineer" the code. In fact, here it is on github if you want to scrutinize it.
- We generally credit security researchers who find real security holes (with limitations for duplicates, etc.). Over the last few years, some of the most critical bugs in PostgreSQL were found by professional security researchers doing things like fuzz testing.
- If you think you've found a security issue, please report it to firstname.lastname@example.org. If it turns out to be a non-issue, we'll tell you, and you can report it as a regular bug.
- Be prepared to answer questions about your report. We showed you our code, you can show us yours.
And please ... update your servers! We send out those incremental updates for a reason, and often as not, there are security patches. More information on our Security Page.
Note: the above is my personal opinion and is not the opinion of The PostgreSQL Project or any other organization.
The ars technica article is a hoot. So Oracle security == just believe us. Oh by the way if you don't and find we are not as secure as we say, then we will throw lawyers at you. Inspires confidence:)ReplyDelete
See Oracle's org chart: http://www.bonkersworld.net/organizational-charts/Delete
Oracle SUCKS! ;), I mean she has some points about those reports probably contain a lot of FUD (ever seen a PCI compliance report on a RHEL system?) and these days those big hacks, well... where's my TShirt? Everyone has security issues, and anti reverse engineering clauses are dumb (btw, the time I installed oracle on Gentoo? for class, was that reverse engineering? it's not supported). They are not a good way to protect your Intellectual Monopoly.ReplyDelete
Oracle claims that 90% of bugs were not found by customers.ReplyDelete
So 10% of the security issues were findable even without any source code or hint about problems being there? What does that say exactly? Your highly trained engineers with clear vision over the code can only outperform blindfolded externals with no interest in finding bugs at a rate of 9:1 ?
I'll go for Postgres any day.
Please provide a method for *secure* disclosure (encrypted email).ReplyDelete
For right now, the method is:Delete
1. email email@example.com with a request for secure send.
2. one of the security hackers will get back to you with a GPG key.
I agree that it would be good to have something more automatic, but this doesn't actually come up that often.
Those meddling kids.ReplyDelete