Ah, okay, I guess we're arguing at slightly cross purposes.

I think the fundamental idea of telling people to bug off is just bad, full stop. Obviously, this customer analysis is working at least some of the time, and while she may bang on about the 10% thing, I imagine it's probably a much higher percentage of bugs that got out the door. (in other words, I think she's probably counting internal bugfixes, ones that customers never saw, in that 90% figure.) But, even if it is just 10%, security flaws are really dire, especially in very widely distributed software like Java.

A post completely from the perspective of "here's how to get some value out of the analysis tools" might be useful. Or even saying, "Gee, we're seeing a lot of this, and it hasn't been very helpful, because it takes a ton of time and rarely leads to anything productive. If you could give us an actual exploit with your report, that would speed things up tremendously."

I think that would probably give Oracle a good chunk of what they wanted, without upsetting anyone. Less of their time would be wasted, but they equally wouldn't be wasting customer time, either, by asserting that they're not allowed to inspect the software they've been sold, and then by ignoring the reports from that inspection.

I hope she learns from this. I now avoid all Oracle software myself, but they still have a large influence on the broad Internet, and we'd all be safer if she'd get her head screwed on straight. Software sales aren't really supposed to be a master/slave relationship. A collaborative mindset seems much healthier to me.

(then again, of course, Oracle is hugely profitable, and I can't imagine them caring very much about my opinion.)