Yup. It's not like those customers that are busy reverse engineering Oracle's code are doing it for the kicks. They have their own jobs to do. Much more likely, they are getting weird results out of Oracle's software that they don't understand, so they reverse engineer the code to see why the system is crashing / giving unexpected results so that they can find a workaround without having to wait for the vendor to fix their bug.
Then, if it turns out that it's a security issue, of course they are going to notify Oracle of the fact, both as a moral duty, and because it makes it more likely that Oracle will get a patch out faster.
Oracle whinging about people finding bugs in their code would be better off trying to improve their processes so that there are less bugs to find, rather than complaining that they've been found out for shipping buggy code.
Then, if it turns out that it's a security issue, of course they are going to notify Oracle of the fact, both as a moral duty, and because it makes it more likely that Oracle will get a patch out faster.
Oracle whinging about people finding bugs in their code would be better off trying to improve their processes so that there are less bugs to find, rather than complaining that they've been found out for shipping buggy code.