A German security firm has published details of six security vulnerabilities in Oracle 's software, three of them high-risk, that it says were not fixed in an Oracle security update earlier this month.

The decision to publish the vulnerabilities, which affect Oracle Reports, Oracle Forms, and indirectly some other Oracle products, raises again the issue of whether security experts should disclose holes in products before vendors have patched them.

Security firm Red-Database-Security, which specializes in Oracle products, says it reported the holes to Oracle almost two years ago. The database vendor acknowledged they exist but has still not patched them, according to Alexander Kornbrust, a business director at Red-Database-Security, in Neunkirchen, Germany.

Kornbrust warned Oracle in April that if it did not fix the bugs with its next round of security patches then Red-Database-Security would publish details about them. Oracle released the quarterly patch update last week, fixing 49 holes in various products. It did not fix the bugs uncovered by Red-Database-Security, however, so the security firm released details of them Tuesday.

Red-Database-Security describes three of the bugs as high-risk, two as medium-risk and one as low-risk. One of the high-risk flaws makes it possible for a hacker to overwrite files in the Oracle Application Server, according to Red-Database-Security. Oracle Reports is a component of the Oracle Application Server and is also used by its E-Business applications suite.

The holes are not hard to exploit and affect all recent versions of the products, according to Kornbrust. "In one case all you have to do is type in a URL," he said. More information, including the workarounds, can be found here .

In a statement, Oracle said it takes security seriously. Its policy is to fix vulnerabilities in order of severity, starting with high-priority issues, it said.

"We are disappointed when any details of Oracle product security vulnerabilities are released to the public before patches can be made available," the company said.

An Oracle spokesman in the U.K. declined further comment.

Security firms have come under fire for releasing details of unpatched security flaws. Some experts argue that if vendors do not patch their products in a reasonable amount of time, then customers have a right to know that vulnerabilities exist. Others say that security firms never help customers by publishing information about still-vulnerable products.

The IDG News Service is a Network World affiliate.