The note went on to add that Argeniss could do a Year of Oracle Database bugs if it chose to. "But we think a week is enough to show how flawed Oracle software is," he had said.

Zero-day flaws are those for which no patches are available from the vendor. Publicly disclosing the details of such flaws before vendors have had a chance to address the problems is generally frowned upon in the industry. The practice has added to the considerable friction that already exists between vulnerability researchers and software vendors.

Last year, for instance, database vendor Sybase Inc. Surrey, England-based Next Generation Security Software Ltd. (NGSS) over the latter company's plans to publicly release the details of eight holes it had found in Sybase software. In that case, NGSS had already informed Sybase about the holes, and Sybase had already issued patches for them. Even so, Sybase objected to the release of what it considered to be overly specific details of how to exploit the flaws.

Another vendor involved in a similar dispute was Cisco Systems Inc., which last year sought a federal injunction to stop an independent vulnerability researcher from spreading information on .

There's nothing to show that Oracle may have influenced Cerrudo's decision in the latest instance. But noted a "flurry of articles and blog entries" about Oracle security in recent days and criticized security researchers who disclosed the existence of zero-day bugs before a fix is available.