Oracle to open up on bug severity

Business software giant will add severity ratings to its security bulletins, helping customers prioritize patching.

Joris Evers Staff Writer, CNET News.com
Joris Evers covers security.
Joris Evers
2 min read
Oracle plans to add severity ratings to its security bulletins, making the alerts less of a guessing game for customers.

Starting with its Critical Patch Update scheduled for next week, Oracle will rate the severity of the flaws that it provides fixes for, Darius Wiles, senior manager for security alerts at Oracle, said late Tuesday.

In addition, the business software giant's security bulletins will explicitly indicate which bugs could be exploited over the Internet by anonymous attackers and will provide a summary of the security problems for each of its product categories, Wiles said.

"This will allow customers to better understand the risk they face from the vulnerabilities that we're fixing," Wiles said.

The changes to Oracle's Critical Patch Update should make the company's quarterly scheduled security update less of a riddle. Previously the update required some work to determine the most serious vulnerabilities, an important task when prioritizing patches. Oracle rivals, such as Microsoft, have provided severity ratings for years.

Oracle has faced various criticisms about its security practices over the past couple of years, and the company has apparently decided to become more upfront about the topic. Its chief security officer has started blogging, and the enterprise software company is talking to the media and at its own events about security.

Oracle is not adding a proprietary severity score; it is taking a leap and becoming one of the first major software companies to adopt the Common Vulnerability Scoring System. Formally introduced last year, CVSS calls on companies to use a unified approach to rating vulnerabilities in software, instead of using proprietary methods.

"Instead of coming up with a scheme ourselves, we decided to use something that is already out there," Wiles said. "Each vulnerability will have a base CVSS score, and the table will be ordered with the most critical at the top."

CVSS goes beyond today's severity ratings, such as the familiar "critical" and "important" found in security bulletins from Microsoft. The scoring system uses numbers between 1 and 10 and lets organizations calculate the specific risk to their own environment by adding information related to their IT systems.

Oracle plans to talk more about security and to solicit feedback at the Oracle Open World conference later this month in San Francisco. Next year, Oracle CEO Larry Ellison is slated to speak at the RSA Conference, a high-profile annual security gathering.