How to Report Security Vulnerabilities to Oracle

If you are an Oracle customer or partner, please use your designated support mechanism (e.g., My Oracle Support or SuiteSupport) to submit a service request for any security vulnerability you believe you have discovered in an Oracle product. If you are not a customer or partner, please email secalert_us@oracle.com with your discovery. We encourage people who contact Oracle Security to use email encryption using our encryption key.

Oracle values the members of the independent security research community who find security vulnerabilities and work with Oracle so that security fixes can be issued to all customers. Oracle's policy is to credit all researchers in the Critical Patch Update Advisory document when a fix for the reported security bug is issued. In order to receive credit, security researchers must follow responsible disclosure practices, including:

  • They do not publish the vulnerability prior to Oracle releasing a fix for it
  • They do not divulge exact details of the issue, for example, through exploits or proof-of-concept code

Oracle does not credit employees or contractors of Oracle and its subsidiaries for vulnerabilities they have found.