Hi Shawn,
Oracle do not report issues they've found internally in their alerts. EveryDBn in their alerts marries up to "public" flaws.
Not that I disagree (or know for that matter) but atblogs.oracle.com/security/ they state that they, "Disclose the existence ofvulnerabilities once cured, even if they are discovered internally." Maybe someone should leave a comment correcting them or better yet invite them to discuss some of the issues brought up on this list.
Ah, the wonders of Oracle Spin Blog. When Oracle issue an alert they credit a number of external security researchers. Some of these researchers don't post their own advisories for the flaws that they've reported but others do. When you marry up the advisories of those that do to the vulnerabilities listed in the Risk Matrix in the Oracle alert you're left with only a few "unexplained" entries. So either these were found internally by Oracle or they were found by the researchers that don't publish advisories. Now, when Mary Ann Davidson, the Oracle CSO, has gone on record as saying that they find more than 75% of significant issues internally (bottom of section 3 here - http://news.com.com/When+security+researchers+become+the+problem/2010-1071_3-5807074.html) wer'e left in a situation where the numbers just don't stack up. Either they don't publish internal finds (which leaves Mary's statement intact) or they do publish internal finds which destroys Mary's statement. There is of course the possibility that external researchers are reporting issues that have already been found internally - which would leave both statements intact. However, when I report a new issue to Oracle they way in which they respond indicates whether you've found a new issue or a duplicate. It's not very often you get a duplicate so we're still left with the contradiction. Either way this contradiction means that someone at Oracle is lying. The problem with spin is that it leaves you dizzy and you might just end up on your butt.
Cheers, David