Interesting article through Pete Finnegan's blog from an interview with one of oracle's security people.
A few quotes:
"We don’t hide our internally discovered vulnerabilities. When we discover something internally, we still mention it in our Critical Patch Updates."
"There are others [security researchers] who for their own good reasons choose to pressure us and put our customers at risk by a partial or early or zero-day disclosure of vulnerabilities in Oracle products."
So let me get this straight. If Oracle employees find a bug, then disclose it, it is a GOOD THING. If external parties practise partial disclosure, they are putting customers at risk. The exact meaning of 'zero day' disclosure is debateable. If it means disclosure prior to informing Oracle, then there is no excuse and it is BAD. They MAY mean disclosure before Oracle have patched it, but then what is "early disclosure" ?
Where they are referring to disclosure before a patch is available, there is room for debate. If there is a potential workaround to reduce risk, then publicising the issue plus the workaround, could benefit some customers.
"If you look at all of the vulnerabilities that my security group handles, we discover about 75% of them. About 10% is reported to us by our customers. The remainder comes to us through external security researchers. "
Mostly figures should add up to 100% but I don't think this is one of them. Remember, Oracle don't publicise bugs before they patch them, so a vulnerability could be 'discovered' by customers, researchers AND internal Oracle staff, just like America being discovered by the Carthaginians, Vikings, Chinese, Columbus, and so on (not to mention people already actually living there).