The historic antipathy between security researchers and Oracle is partially explained by the software giant's often painfully slow acknowledgement of security problems as well as its staggered release of patches - both for Java and for its database software and other enterprise applications.
Rather than working together with security experts - such as David Litchfield - who discover and report dangerous programming flaws, Oracle has been, by several accounts, difficult, unresponsive and occasionally combative.
Oracle needs to take a leaf out of Microsoft's book and play nice with researchers. A little engagement from its side would go a long way towards getting more outside input on bugs.
Microsoft is really a class example of what to do
I remember Microsoft as the most hated company 10 years ago with a security that was not worth its name.
Than came the memo from Gates about security and everything in the company was put on hold untill they were sure it was secure and since than everything has changed.
Microsoft is criticized for security here and there but the way it is communicating, implementing and organizing security throughout its firms and users has become an example in securitymanagement.
It was a security-Titanic, it is now a luxury more or less secure cruiseship sailing in seas without icebergs (as long as the captains stay on deck and don't go down to party too much)