I like to think that the length of time an organization’s been at the top of its field is proportional to the likelihood that someone within the company’s going to say something stupid. Look, for example, at a recent blog post by Oracle’s Chief Security Officer, Mary Ann Davidson. Titled “No, You Really Can’t,” the piece goes into great detail about why the developers dedicating themselves to reporting and removing vulnerabilities in Oracle’s products are terrible, terrible people.

Yes, I’m serious.

Davidson also unleashes some half-cooked ramble about how she’d rather be writing murder mysteries than telling off customers. She also implies that those developers who are reverse-engineering Oracle’s code are ignoring the basics of security.

See for yourself:

“I can understand that in a world where it seems almost every day someone else had a data breach and lost umpteen gazillion records to unnamed intruders who may have been working at the behest of a hostile nation-state, people want to go the extra mile to secure their systems,” she rants. “That said, you would think that before gearing up to run that extra mile, customers would already have ensured they’ve identified their critical systems, encrypted sensitive data, applied all relevant patches, be on a supported product release, use tools to ensure configurations are locked down — in short, the usual security hygiene — before they attempt to find zero day vulnerabilities in the products they are using.”

I…guess we can’t do both? We can’t keep our own installations secure while at the same time looking for zero-day vulnerabilities – many of which could be absolutely devastating if left unpatched? She takes her argument a step further, too, arguing that customers who reverse-engineer Oracle’s code violate their licensing agreements.

The essay goes on for some time after that but as ZDnet’s Charlie Osborne notes, it doesn’t lose its holier-than-thou attitude even once. To its credit, Oracle realized fairly quickly that Davidson’s post was in very poor form. It’s since been de-listed, with Oracle’s Executive Vice President and Chief Corporate Architect Edward Screvem running damage control:

“The security of our products and services has always been critically important to Oracle,” said Screven to ZDNet. “Oracle has a robust program of product security assurance and works with third party researchers and customers to jointly ensure that applications built with Oracle technology are secure. We removed the post as it does not reflect our beliefs or our relationship with our customers.”

Unfortunately, I expect that the damage may already have been done. Worse yet, it could serve as yet one more blow against Oracle’s product portfolio, which in recent years has been suffering greatly at the hands of open-source alternatives. The developers responsible for those products, at least, won’t launch into rants about how customers should just let zero-day vulnerabilities exist.

“The impact [of open-source] shows up in Oracle’s sales of new software licenses, which have declined for seven straight quarters compared with the period a year earlier,” writes Bloomberg’s Jack Clark. “New licenses made up 25 percent of total revenue in fiscal 2014, down from 28 percent a year earlier — a sign the company is becoming increasingly dependent on revenue from supporting and maintaining products at existing customers and having a harder time finding new business.”

In other words, Oracle’s struggling enough without alienating the customers it still has left. But it just did. And nothing the company says from here on out is going to change that.

The post Oracle Just Spat All Over Its Customers In A Very Big Way appeared first on .