Oracle maintains strong security controls over its source code. Oracle’s source-code protection policies provide limits on access to source code (enforcement of the need to know), requirements for independent code review, and periodic auditing of the company’s source-code repositories. Oracle’s objectives with protecting its source code are twofold:
1. Protect the company’s intellectual property while fostering innovation
2. Protect Oracle and its customers against malicious attempts to alter Oracle’s source code or exploit security vulnerabilities
Oracle Software Security Assurance policies and practices are designed to prevent the introduction of security vulnerabilities in Oracle-developed code.
Oracle also maintains strong controls over the technical description of security vulnerabilities in Oracle code. Oracle’s Security Vulnerability Information Protection Policy defines the classification and handling of information related to product-security vulnerabilities and requires that information concerning security bugs be recorded in a tightly controlled corporate database.
Oracle Cloud largely relies on Oracle products that are subject to Oracle Security Assurance activities. Oracle-developed code used solely in the cloud, that is, code that is not used in on-premises product distributions, is also subject to Oracle Software Security Assurance.
Oracle’s policies prohibit the introduction of backdoors into its products. Backdoors are deliberately (and maliciously) introduced code intended to bypass the security controls of the application in which it is embedded. Backdoors do not include:
Oracle also carefully vets third-party software and hardware to avoid the use of products: