[Full-Disclosure] ISV unwilling to provide security patches on Oracle?

[adam morley <adam-fulldisclosure@gmi.com>]

Hi,

(Short version: ISV doesn't think security patches are needed, I need to 
convince them otherwise.  Long version follows)

I'm writing because I'm working with an ISV that develops accouting products on 
Oracle (Specifically Oracle 8i, 9i and 9i app).  Currently, they license the 
Oracle database as an application specific license.  My current problem is they 
refuse to offer security patches for 8i, 9i or 9i app server, saying that the 
functioning of their app is more important than security fixes, and that a 
customer will have a firewall which is "good enough."  I'd love to suggest 
users get patches themselves, but that requires each customer that uses this 
product get a metalink account, which costs money and the ISV says they won't 
support the database once the patches are applied (which, obviously is a 
problem for accounting software!).

I've done some preliminary google searches to find white papers/articles/etc. 
to support my argument that security patches *in addition* to best practices 
like firewalls, good passwords, etc. lead to a secure product.  I've found 
some, but I'd love to get some other white papers/articles/etc. in order to 
convince the ISV that security patches aren't an "optional" kind of thing, but 
rather a requirement in today's world.  Any pertinent legal pointers would be 
helpful too (though the ISV is in Canada, so. . .NAFTA)

I'd also like to avoid "wow, that's a dumb vendor, don't use their product" 
kind of comments, so if you can hold back that would be great.  But if you just 
can't, then I can understand.

In the event someone from Oracle is listening, I'd love to be contacted in the 
event Oracle thinks its a bad idea their ISVs are staunchly opposed to security 
patches.

Thanks for your time,
-- 
adam

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html