Source Code Protection

Overview

Oracle maintains strong security controls over its source code. Oracle’s source-code protection policies provide limits on access to source code (enforcement of the need to know), requirements for independent code review, and periodic auditing of the company’s source-code repositories. Oracle’s objectives with protecting its source code are twofold:

1. Protect the company’s intellectual property while fostering innovation

2. Protect Oracle and its customers against malicious attempts to alter Oracle’s source code or exploit security vulnerabilities

Protection of Technical Vulnerability Information

Oracle Software Security Assurance policies and practices are designed to prevent the introduction of security vulnerabilities in Oracle-developed code.

Oracle also maintains strong controls over the technical description of security vulnerabilities in Oracle code. Oracle’s Security Vulnerability Information Protection Policy defines the classification and handling of information related to product-security vulnerabilities and requires that information concerning security bugs be recorded in a tightly controlled corporate database.

Applicability of Oracle Software Security Assurance to Oracle Cloud

Oracle Cloud largely relies on Oracle products that are subject to Oracle Security Assurance activities. Oracle-developed code used solely in the cloud, that is, code that is not used in on-premises product distributions, is also subject to Oracle Software Security Assurance.

Prohibition of Backdoors in Oracle Code

Oracle’s policies prohibit the introduction of backdoors into its products. Backdoors are deliberately (and maliciously) introduced code intended to bypass the security controls of the application in which it is embedded. Backdoors do not include:

  • Unintentional defects in software that could lead to a weakening of security controls (security bugs)
  • Undocumented functionality designed to be generally inaccessible by customers but serves a valid business or technical purpose (diagnostics and troubleshooting utilities)

Oracle also carefully vets third-party software and hardware to avoid the use of products:

  • With known vulnerabilities
  • Developed with poor security assurance
  • That may potentially include backdoors