Comments on: David Lichtfield in the Oracle cross-hairs (again…) http://www.slaviks-blog.com/2010/02/03/david-lichtfield-in-the-oracle-cross-hairs-again%e2%80%a6/ Slavik's Blog Wed, 14 Dec 2011 10:35:06 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: Slavik http://www.slaviks-blog.com/2010/02/03/david-lichtfield-in-the-oracle-cross-hairs-again%e2%80%a6/comment-page-1/#comment-4239 Slavik Thu, 11 Feb 2010 20:28:05 +0000 http://www.slaviks-blog.com/?p=221#comment-4239 David, sorry for misinterpreting your intentions. I completely understand how this might have happened. Oracle usually communicates with the security researchers a few weeks ahead of the patch to tell them if their found vulnerability was patched in the upcoming CPU and I can see how this is not enough time to change speaking arrangements. I'm wondering if you had any communication with Oracle regarding the Black Hat. AFAIK, Oracle gives precedence to public (or would-be public) vulnerabilities. Thanks for correcting my mistake, Slavik David, sorry for misinterpreting your intentions.
I completely understand how this might have happened.
Oracle usually communicates with the security researchers a few weeks ahead of the patch to tell them if their found vulnerability was patched in the upcoming CPU and I can see how this is not enough time to change speaking arrangements.
I’m wondering if you had any communication with Oracle regarding the Black Hat. AFAIK, Oracle gives precedence to public (or would-be public) vulnerabilities.

Thanks for correcting my mistake,
Slavik

]]> By: David Litchfield http://www.slaviks-blog.com/2010/02/03/david-lichtfield-in-the-oracle-cross-hairs-again%e2%80%a6/comment-page-1/#comment-4234 David Litchfield Thu, 11 Feb 2010 09:05:55 +0000 http://www.slaviks-blog.com/?p=221#comment-4234 Actually you're wrong about why I spoke about the flaws. I informed Oracle of these flaws on October 11th (I said November in my speech off the top of my head). I just assumed they'd get it fixed in time for the January CPU - it is a trivial fix afterall. So I submitted these as the basis of the Black Hat talk in November. And since I'm retiring from the vulnerability research side of things I was clearing the decks so to speak. The process Oracle has with vuln researchers isn't broken - I wasn't dissatisified - but I'd committed to speak about the issues. Simply that. I don't have a bone to pick with Oracle anymore. Cheers, David Litchfield Actually you’re wrong about why I spoke about the flaws. I informed Oracle of these flaws on October 11th (I said November in my speech off the top of my head). I just assumed they’d get it fixed in time for the January CPU – it is a trivial fix afterall. So I submitted these as the basis of the Black Hat talk in November. And since I’m retiring from the vulnerability research side of things I was clearing the decks so to speak. The process Oracle has with vuln researchers isn’t broken – I wasn’t dissatisified – but I’d committed to speak about the issues. Simply that. I don’t have a bone to pick with Oracle anymore.
Cheers,
David Litchfield

]]>