If you are an Oracle customer or partner, please use My Oracle Support to submit a service request for any security vulnerability you believe you have discovered in an Oracle products. If you are not a customer or partner, please email email@example.com with your discovery. We encourage people who contact Oracle Security to use email encryption, using our encryption key.
Oracle values the members of the independent security research community who find security vulnerabilities and work with Oracle so that security fixes can be issued to all customers. Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:
They do not publish the vulnerability prior to Oracle releasing a fix for it
They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code
Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.