Executives at Oracle and Cisco defended their companies' security approaches.

Oracle's vulnerability remediation and response strategies are very customer-focused, said Duncan Harris, the company's senior director of security assurance. He said Oracle's decision to move to a quarterly update schedule last January was based on feedback from database administrators, who said they would prefer a longer gap between updates.

Similarly, Oracle's decision to limit the amount of vulnerability information it discloses is driven solely by the interests of users, Harris said. "Our advisories are for our customers' benefits," he said. "They are not for the benefit of the security community." Harris claimed that more-complete disclosures of the sort issued by Microsoft only increase the security risks faced by users. Oracle's centralized vulnerability handling group has been working over the past two to three years to ramp up its processes for developing, testing, porting and distributing patches, Harris added.

Cisco officials have said that their response to the vulnerability disclosure at the Black Hat conference was reasonable because they were trying to protect the vendor's intellectual property and prevent the release of information that attackers could use as instructions for targeting routers.

Last week, Mike Caudill, Cisco's product security incident manager, said it plans to continue releasing security fixes as they become available instead of making users wait for periodic updates. And it's unlikely that Cisco will start rating the severity of its flaws.