Week of Oracle bugs axed--for now?

The bug hunters at Argeniss have put their plans for a "Week of Oracle Database Bugs" on ice.

Due to "many problems" the initiative has been "suspended," according to a posting on the Argeniss Web site. The company provides no additional details.

The researchers had planned to disclose a zero-day vulnerability in Oracle's database software every day during a week in December. The initiative was meant to show that Oracle's is failing when it comes to product security.

Some database security experts had blasted the idea.

"It will just make life more difficult for many hard working DBA's and security managers," Pete Finnigan, an Oracle security specialist in York, England, wrote on his blog. "Oracle are getting better at fixing bugs, give them a chance and don't make further unnecessary risks to customers."

Oracle has been facing increased heat recently from security researchers, in particular from David Litchfield, a British security researcher who constantly has Oracle in his crosshairs.

Last week Litchfield published a pair of papers, one highlighting what he called a new class of attacks on Oracle databases as the result of "dangling cursors" left by developers (see PDF) and another that compared Oracle and Microsoft database security (see PDF).

"The conclusion is clear--if security robustness and a high degree of assurance are concerns when looking to purchase database server software...one should not be looking at Oracle as a serious contender," Litchfield concluded in his second paper.

Oracle responded on its product security blog on Monday. "One of Oracle's highest priorities is the security of our customers," company representative Eric Maurice wrote.

But, he wrote, "because software engineering is a complex discipline, the absence of security flaws in released software cannot be fully guaranteed. "