Oracle just announced patches for 82 vulnerabilities. Why so many? Oracle doesn't shy away from fixing flaws publicly through our Critical Patch Updates. We don't hide our internally discovered vulnerabilities. When we discover something internally, we still mention it in our Critical Patch Updates. Other vendors, as the security community knows, may be doing silent fixes. It is something we don't believe in. That is part of the explanation for the large number of vulnerabilities. Certainly, there is also much more attention being paid to Oracle for whatever reason.

Critics say Oracle doesn't share enough vulnerability information for users to make proper risk assessments. Why don't you disclose more details? As part of our exercise to work out with customers what the regular schedule for our patches should be, we talked to them about the level of information they required in order to understand sufficiently whether they were affected by a vulnerability and what the impact would be if the vulnerability was exploited. We listened very carefully to that, and we have come up with a system where we identify in risk matrices for every one of our product stacks the nature of each of the vulnerabilities that we fix within a quarterly patch update. We believe that it is sufficient information for our customers. Our advisories are for our customers' benefit. They are not for the benefit of the security community.

Are quarterly updates good enough for users? The comparison is quite clearly with Microsoft's monthly updates. You have to remember that Windows updates are clearly aimed at client machines. Oracle has client-side products, some of which are quite important, but our fundamental focus is on the server side. Comparing this to the monthly patching that Microsoft does is like comparing apples and oranges. It really is quite different to have a systems administrator patch a server-side system and a small client.

Why do you think the security community is so unhappy with Oracle? In terms of working with the security community, we work very well with those that are happy to abide by the security vulnerability handling processes, which we have published on our Web site for anyone to see. There are others who for their own good reasons choose to pressure us and put our customers at risk by a partial or early or zero-day disclosure of vulnerabilities in Oracle products. I assume that is part of their marketing method to potentially increase their consulting business. Our 'Unbreakable' [advertising] campaign was also a bit of a red flag, which may be another reason why there is so much attention being paid to Oracle by security researchers.

How long does it take for Oracle to fix flaws? It absolutely depends on their severity. The Critical Patch Update that we [just] issued -- one of the vulnerabilities there was reported to Oracle in November. There is another that was reported to Oracle 800-plus days ago by external researchers. That is not something we are proud of, [but] it points to the fact that we fix vulnerabilities in order of severity. We are making substantial efforts to refine the infrastructure such that reports of vulnerabilities being more than two years old should be a thing of the past. Perhaps in a year's time it will be. But I do anticipate that for the remainder of 2006, you will see security researchers declaring that vulnerabilities they reported two years ago have just been fixed.