The public face of Oracle’s product security is its quarterly security patches or Critical Patch Updates and the occasional Security Alert that fix vulnerabilities that are being actively exploited “in the wild”. As well as reviewing Oracle's product vulnerability handling practices, this presentation will explain the core elements and challenges of the less public but broader and more important Oracle Software Security Assurance program including: