Last week, Oracle Corp. criticized independent vulnerability researchers after it came under fire for its security practices. In a company blog, Eric Maurice, manager for security in Oracle's global technology business unit, said the company would not let external perceptions drive its security policies.

In the blog, Maurice reiterated Oracle's commitment to strong security practices and said that it would continue to prioritize vulnerabilities based on their criticality and not on who discovered them. Maurice also blasted security researchers who disclose zero-day bugs before fixes for them are available.

"We consider such practices, including disclosing 'zero-day' exploits, to be irresponsible, as they can result in needlessly exposing customers to risk of attack," the blog noted, without pointing fingers at any specific researchers.

The blog post was in apparent response to a "flurry of articles and blog entries" in recent days about Oracle security. Among them was a study by U.K.-based Next Generation Security Software Ltd. that showed that Oracle's database products have had far more vulnerabilities than Microsoft Corp.'s SQL Server software over the past six years. At the same time, a security researcher in Argentina announced plans to release one Oracle zero-day bug every day for one week in December. That plan was later canceled, however.

Cesar Cerrudo, founder of Buenos Aires-based information security firm Argeniss, refused to explain why he canceled his plans for a week of Oracle database bugs. But he reiterated the usefulness of the work done by independent security research firms such as his. "Most [vulnerability research] companies find a vulnerability and report it to vendors, so research companies are giving research for free to vendors and doing what supposedly the vendor should do," he said in an e-mail.