If you are an Oracle customer or partner, please use your designated support mechanism (e.g., My Oracle Support or SuiteSupport) to submit a service request for any security vulnerability you believe you have discovered in an Oracle product. If you are not a customer or partner, please email firstname.lastname@example.org with your discovery. We encourage people who contact Oracle Security to use email encryption using our encryption key.
Oracle values the members of the independent security research community who find security vulnerabilities and work with Oracle so that security fixes can be issued to all customers. Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:
Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.