Oracle Cloud Infrastructure Documentation

About OCI Marketplace Publisher Guidelines

(OCI) allows Oracle partners to distribute their solutions to OCI customers via Oracle Cloud Marketplace. Oracle customers trust that these solutions are built and maintained in a way that ensures that their security and privacy is the top priority.

Customers also expect that solutions deliver as promised, include excellent documentation, and provide a support experience that is effective and low friction. This document describes the minimum bar required of Oracle partners for inclusion in Oracle Cloud Marketplace. You are encouraged to exceed these specifications, wherever possible. Solutions that include exceptions to these standards must be reviewed and approved by Oracle.

Key Words

This document uses key words as defined by IETF RFC 2119. For more information, seehttps://www.ietf.org/rfc/rfc2119.txt.

  • Must - This word, or the terms "Required" or "Shall", mean that the definition is an absolute requirement of the specification.
  • Must not - This phrase, or the phrase "Shall not", mean that the definition is an absolute prohibition of the specification.
  • Should - This word, or the adjective "Recommended", mean that there may exist valid reasons in particular circumstances to ignore a particular item, but the full implications must be understood and carefully weighed before choosing a different course.
  • Should not - This phrase, or the phrase "Not recommended" mean that there may exist valid reasons in particular circumstances when the particular behavior is acceptable or even useful, but the full implications should be understood and the case carefully weighed before implementing any behavior described with this label.
  • May - This word, or the adjective "optional", mean that an item is truly optional. One vendor may choose to include the item because a particular marketplace requires it or because the vendor feels that it enhances the product while another vendor may omit the same item. An implementation which does not include a particular option must be prepared to interoperate with another implementation which does include the option, though perhaps with reduced functionality. In the same vein an implementation which does include a particular option must be prepared to interoperate with another implementation which does not include the option (except, of course, for the feature the option provides.)

Vulnerability Severity Levels

Where there is any reference to security vulnerability in this section, the reference is to the Common Vulnerability Scoring System (CVSS) v3.0 ratings system. For more information about CVSS v3.0, see https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator.

Security

The Oracle Cloud Infrastructure security overview states that:
We [Oracle] believe that a dynamic security-first culture is vital to building a successful 
security-minded organization. We have cultivated a holistic approach to security culture in which 
all our team members internalize the role that security plays in our business and are
actively engaged in managing and improving our products' security posture. We have also
implemented mechanisms that assist us in creating and maintaining a security-aware culture.

You must read and understand the entire Oracle Cloud Infrastructure approach to security. See Oracle Cloud Infrastructure Security Guide in the Oracle Cloud Infrastructure documentation.

You must maintain a security first culture that understands and values the trust of our mutual customers.

Controls

  • You must maintain awareness of security alerts and advisories that have an impact on your solutions. Here are some common sources of security alerts:
    • SecurityFocus maintains recent advisories for many open source and commercial products. https://www.securityfocus.com/
    • The National Vulnerability Database. https://nvd.nist.gov/vuln
    • US-CERT and the Industrial Control Systems CERT (ICS-CERT) publish regularly updated summaries of the most frequent, high-impact security incidents. https://www.us-cert.gov/ics
    • Full Disclosure at SecLists.org, is a high volume, public, vendor-neutral forum for detailed discussion of vulnerabilities and exploitation techniques. https://seclists.org/fulldisclosure/
    • The Computer Emergency Readiness Team Coordination Center (CERT/CC) has up-to-date vulnerability information for the most popular products. https://www.cert.org
  • You should watch for Oracle Cloud Infrastructure platform updates that may have an impact on images that you have published.
  • You must notify OCI within 3 business days of any newly discovered vulnerabilities that impact your solutions with a CVSS rating of 9.0 or higher.
  • You must notify Oracle Cloud Infrastructure within 5 business days of any newly discovered vulnerabilities that impact your solutions with a CVSS rating between 7.0 and 8.9.
  • You must notify OCI within 20 business days of any newly discovered vulnerabilities that impact your solutions with a CVSS rating between 4.0 and 6.9.
  • You must publish updated solutions that mitigate newly discovered vulnerabilities in a timely fashion.
  • You must allow customers to keep their solutions updated to protect against newly discovered vulnerabilities. Some common patterns are:
    • Automatically applying security updates.
    • Allowing a customer to run a command to apply security updates.
    • Providing a process that allows a customer to replace any current deployments with an updated version. This process should be sufficiently low friction so that a customer is not discouraged from performing the work required.
  • You should publish updated solutions with general security updates on a quarterly basis.
  • If you might require the execution of a non-disclosure agreement before disclosing a vulnerability to Oracle, your must have executed an Oracle Confidentiality Agreement (CDA) prior to publication of your first image. Your Oracle Partner team will assist with this process.