Oracle's Security Vulnerability Remediation Practices


	The Critical Patch Update (CPU) is the primary mechanism for the release of all security bug fixes for all Oracle products. With the current exception of the Critical Patch Updates for Java SE, Critical Patch Updates are released quarterly on the Tuesday closest to the 17th of the month in January, April, July, and October. In addition, Oracle retains the ability to issue out of schedule patches or workaround instructions in case of particularly critical vulnerabilities and/or when active exploits are reported "in the wild." This program is known as the Security Alert program. Information about all previously released Security Alerts and Critical Patch Updates, along with the links to download security patches, is posted on the Security Alerts and Critical Patch Updates page.

	BENEFITS
	Maximum Security—Vulnerabilities are remediated by Oracle in order of severity. This process ensures that the most critical security holes are patched first in the Critical Patch Update, resulting in optimizing the security posture of all Oracle customers. Lower Administration Costs—A fixed CPU schedule takes the guesswork out of patch management. The schedule is also designed to avoid typical "blackout dates" during which customers cannot typically alter their production environments. Simplified Patch Management—Patch updates are cumulative for many Oracle products. This provides customers the ability to quickly "catch up" to the current security release level, since the application of the latest cumulative CPU resolves all previously addressed vulnerabilities. Identification of architectural vulnerabilities—Security evaluations can lead to the identification of architectural vulnerabilities

	LEARN MORE
	Oracle's security fixing policies Oracle's security vulnerability disclosure policies Critical Patch Update & Security Alert page Instructions for reporting security vulnerabilities