Oracle Security Vulnerability Disclosure Policies

In order to prevent undue risks to our customers, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update (or Security Alert) advisory and pre-release note, the pre-installation notes, the readme files, and FAQs. Furthermore, Oracle provides all customers with the same information in order to protect all customers equally. Oracle does not provide advance notification to individual customers. Finally, Oracle does not develop or distribute active exploit code (or proof of concept code) for vulnerabilities in our products.

How to Report Security Vulnerabilities to Oracle

If you are an Oracle customer or partner, please use My Oracle Support to submit a service request for any security vulnerability you believe you have discovered in an Oracle products. If you are not a customer or partner, please email [email protected] with your discovery. We encourage people who contact Oracle Security to use email encryption, using our encryption key.

Oracle values the members of the independent security research community who find security vulnerabilities and work with Oracle so that security fixes can be issued to all customers. Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:

They do not publish the vulnerability prior to Oracle releasing a fix for it They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.