Oracle Security Vulnerability Disclosure Policies

To prevent risks to our customers, Oracle will not provide additional information about the specifics of vulnerabilities beyond what is provided in the Critical Patch Update (or Security Alert) advisory and prerelease note, preinstallation notes, readme files, and FAQs for on-premises products, and beyond what is provided in penetration test summaries for specific cloud products. Oracle provides its customers with the same information to protect all customers equally. Oracle does not provide advance notification to individual customers. Finally, Oracle does not develop or distribute active exploit code (or proof of concept code) for vulnerabilities in our products.