Reporting Vulnerabilities

How to Report Security Vulnerabilities to Oracle

If you are an Oracle customer or partner, please use your designated support mechanism (e.g., My Oracle Support or SuiteSupport) to submit a service request for any security vulnerability you believe you have discovered in an Oracle product or Cloud or Cloud Services.

If you are not an Oracle customer or partner, please email secalert_us@oracle.com with your discovery. We encourage reporters who contact Oracle Security to use Oracle’s public PGP key to encrypt sensitive security vulnerability information before transmission. This includes reports, proof-of-concept details, logs, attachments, and other potentially sensitive materials. This helps protect the confidentiality of the information and ensures that its contents are accessible only to authorized Oracle Security personnel.

Using PGP Encryption

To encrypt sensitive reports or attachments before sending them to Oracle Security:

• Obtain Oracle’s public PGP key.
• Import the public key into your preferred OpenPGP or PGP-compatible encryption software.
• Verify the key fingerprint according to your organization’s security procedures.
• Encrypt the report, attachment, or other sensitive files using Oracle’s public PGP key.
• Attach the encrypted files to your email submission and send them to secalert_us@oracle.com.

Oracle values the contributions of the independent security researchers who find security vulnerabilities and work with Oracle to help protect customers through timely security fixes. When Oracle issues a fix for a reported security vulnerability, Oracle's policy is to credit the researcher in the applicable Critical Patch Update, or Critical Security Patch Update, or Security Alert advisory. To be eligible to receive credit, security researchers must follow responsible disclosure practices, including:

• Not publishing the vulnerability before Oracle releases a fix
• Not disclosing exact details of the issue, such as exploits or proof-of-concept code
• Coordinating disclosure with Oracle to allow sufficient time for remediation

Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.

More Information

• Security analysis and testing at Oracle
• Learn about Oracle’s incident response practices