Has anyone been getting repeated Oracle Java “compliance” emails lately?
Posted by 404socialskillz@reddit | sysadmin | View on Reddit | 65 comments
We’ve recently had multiple people at our company receive repeated emails from Oracle regarding Java licensing and “compliance.”
The confusing part is that we don’t believe we actively use Java in any way.
The messaging has been pretty persistent and mostly asking whether Java exists anywhere at all (even through third-party applications) and pushing to schedule time to review licensing.
It appears to be coming from an Oracle Java account executive (there’s a LinkedIn profile, so it doesn’t seem like a scam), but the outreach feels pretty broad.
I’m trying to understand:
Is this a random general outreach or do we really have to meet with them?
Has anyone else dealt with this recently? What did your approach look like?
LuckyLuke364@reddit
You don't get to buy your own island by giving away free Java licenses
stromm@reddit
Oracle is crazy on their IP/Licensing enforcement. Even a single install of JAVA (runtime, sdk, doesn’t matter) on one machine of any type and they expect to be paid based on all POSSIBLE installations. Where I am that means 62,000 endpoints.
It’s why we only allow up to v8u201 by Oracle. And anything higher gets caught by automatic software inventory and ripped out within a day.
Anyone wanting new Java must use other publisher’s versions.
LuckyLuke364@reddit
"Ripped Out"🔥
404socialskillz@reddit (OP)
We haven’t replied, but for context, these are the emails we have been getting:
From: Sophie WhiteSubject: Re: Important Oracle Java Notice | License & Security Requirements
Hi, Just wanted to emphasize the importance of this discussion and the points I’ve made below. If Java is being utilized in any fashion, I’d like to find some time to go over the licensing changes and to discuss how Java is being leveraged in your environment. That way, we can discuss your actual use cases and determine if your Java usage will be impacted in any way by these licensing changes. What’s your upcoming availability for a brief sync? Best, Sophie White Account Executive | Java & Virtualization Technologies
From: Sophie WhiteSubject: Re: Important Oracle Java Notice | License & Security Requirements
Hi,
Reaching out again, as I have yet to hear back from you regarding your Company's Java usage.
I’m more than happy to set aside some time for us to go over the Java licensing changes to determine the necessity of Java licensing for your organization.
As a reminder, if you have non-public versions / updates of Java installed, we’ll need to ensure that you’re compliant and obtain the proper licensing or confirm that you have the proper entitlements allocated.
Please share your upcoming availability for a quick sync.
Best,
Sophie White
Account Executive | Java & Virtualization Technologies
From: Sophie WhiteSubject: Re: Important Oracle Java Notice | License & Security Requirements
Hi,
Following up on my previous messages.
Do you know if Java is used in any capacity throughout your Company?
I want to ensure that the right people fully understand the potential impact of these changes, if Java is leveraged in any fashion.
So, if Java is installed on any of your desktops or servers, please share your upcoming availability to discuss these changes in greater detail.
Best,
Sophie White
Account Executive | Java & Virtualization Technologies
From: Sophie WhiteSubject: Re: Important Oracle Java Notice | License & Security Requirements
Hi,
Hope you’re doing well. Wanted to follow up on a note I’d sent you recently.
Have you been able to review the information I’d sent you earlier this week and investigate the changes to the Java licensing model?
If not, are you available Monday (4/13) or Tuesday (4/14) for a more in-depth conversation about these topics?
Best,
Sophie White
Account Executive | Java & Virtualization Technologies
From: Sophie WhiteSubject: Important Oracle Java Notice | License & Security Requirements
Hi,
Hope all is well. Wanted to introduce myself as I’m the Oracle Java Account Manager aligned to your Company.
I’m reaching out because I work with similar organizations to ensure they’re aware of the changes within the Oracle Java licensing model.
Key information you should be aware of:
* The last, free public update of Java 8 was released in January 2019, and 25 major updates containing security patches have since been released
* Most organizations I work with prioritize keeping Java up to date to prevent potential security vulnerabilities
* A subscription or entitlements are needed to install most Java versions / updates past version 8, update 202
* These licensing changes impact Java use cases beyond development, including the usage of Java Runtime (JRE) for third-party applications
What’s your availability Wednesday (4/8) or Thursday (4/9) to discuss how your organization is leveraging Java?
Best,
Sophie White
Account Executive | Java & Virtualization Technologies
cacheoverlord@reddit
I got the exact same emails word for word recently. Curious if anyone else did too?
donkeylubber@reddit
I got one of these messages and asked them for proof or the information that they had that showed that we use the software. They provided IP address addresses that belong to another organization. I told them that those IPs are clearly owned by another company and they ceased all communication.
snorkel42@reddit
Configure your mail servers to block any messages from Oracle.com.
kissmyash933@reddit
Ignore them, do not respond. Send those communications to your legal department and let them decide what should be done.
404socialskillz@reddit (OP)
Yeah, that’s kind of what I thought too, and this doesn’t feel like a formal audit notice.
What’s throwing me off is the volume and persistence. They’re contacting multiple people across our company and pushing to schedule time.
So it feels more like broad outreach, but the “compliance” language is what made me pause.
sysadminbj@reddit
Sounds a lot like their sales trolls are using high pressure and a false sense of urgency to get your company to buy licenses that they don't need.
TheThoccnessMonster@reddit
This. Oracle is a shit fire.
schnurble@reddit
That's typical Oracle MO.
dirtymatt@reddit
Yup. That’s what Oracle does. The messed up part, we have Oracle licenses, they know who to contact in our org, and they still just troll our website to find random tech contacts to harass. They’re trying to find someone to respond so they can deem whatever that person is doing as commercial use requiring a license and try to bully them into paying.
CKtravel@reddit
Yeah, they're searching for the weakest link in your company to try and find someone who'd relent and reply to them. None of you should, outside of your legal department.
canyonero7@reddit
Microsoft does the same thing. They want you to think you have to respond, but you don't. However, not responding might increase your chance of getting a formal audit request.
It totally depends on your scale though - the bigger the company, the higher the risk.
nkings10@reddit
I think the difference is, most companies have Microsoft agreements in place.
For any other companies they can go eat a big fat d***
VexingRaven@reddit
This is what they do. It's their entire business model. They email everyone until someone says something incriminating, then they find something to sue you over.
fnordhole@reddit
It's basically sales.
They suck.
You could block the domajn as spam. Oops.
Upstairs-Ad-4001@reddit
And your will end up with an audit or letter from Oracle lawyer. If OP has some other Oracle products in the environment, P6, DB, etc, then Oracle has full legal right to audit.
OP, Oracle licensing agreement is very muddy, but, I'll summarize it for you. If you have one instance of Java installed in your environment, then you have to buy licenses for the whole company, every user. Even janitor. So, you block everything Oracle Java in your web/dns. Remove all Oracle Java across the enterprise, there are multiple replacement options. Set AppLocker. And as others said, check with your legal.
Lucky__Flamingo@reddit
If people ask questions like that, whether you think they're legitimate or not, you should refer the matter to your employer's counsel. Don't say anything to anyone without their guidance.
TheThoccnessMonster@reddit
This right here. Never, ever respond. They are dirty fucking snakes trying to go around people above you who are also, generally under legal advisement, to also say nothing.
Snowdeo720@reddit
I’ve never given those any credence after the first time I get them at an org.
I’ll do an audit of the fleet of assets to validate no oracle software is installed, delete the email, move on and laugh at their predatory practices.
overlycon@reddit
What others are saying. Send to your legal dept. Oracle is very aggressive conducting audits and incentivize their 3rd party auditors to find violations. If you don’t have Oracle Java installs the reply (from Legal) is simple.
dirtymatt@reddit
If you don’t have Oracle Java installs, the reply from Legal is nothing. If you don’t have any legal agreement with them, they’re not entitled to any communication from your company.
BoysenberryDue3637@reddit
Two stories on this BS from Oracle.
I received it and responded that we had no Java in our environment. They tried demanding an audit. Corp. counsel told them to pound sand without a search warrant They went away when we lawyered up.
Buddy of mine's counsel thought - ain't no biggie because we were good. They had open source Java on most of their machines. Oracle scanning tool looked for the exec java.exe and that was the one and only criteria. Oracle claimed that because the exe java was on all those machines, they had to pay up. I need to ping him to see what finally happened with that.
starm4nn@reddit
Wonder what would happen if you responded "We ran an audit the other day and found out that exe had a backdoor built into it which tried to steal company data. Are you saying that you were the ones behind it?"
CKtravel@reddit
🤣🤣🤣 That'd be nice, but those bastards basically function as a law firm (with a small IT department as a "side hustle") nowadays so they'd call your bluff in no time.
CKtravel@reddit
I'd treat these e-mails as scamming attempts because that's what they basically are. They're aggressively cold-calling every American company they can lay their dirty paws on to see if they can extort some of that sweet racket they're after. No, if you aren't using any Java-based application at all then you don't have to reply to them. If by any chance you DO have something Java-based then make sure you switch to OpenJDK JRE on all of them and let your legal department/company laywer deal with these roaches.
shemanese@reddit
Yep. We got nailed by a audit a few weeks ago.
malikto44@reddit
This varies on companies. In general, as an IT guy, if someone starts legal threats, I forward them to company legal. Usually legal will give me a boilerplate note telling the other side that they are banned from communicating with any support (because of the legal threats... and this after they are given time to retract the threats), any company reps or relevant people, given a snail mail PO box as their only way they will be responded to, and then a memo is sent to IT to recite a script telling them to only use that for company communications. From there, they are blocked on email and other means. Pretty much "sue us or blow us."
This stops the third party, offshore vendors demanding audits in their tracks. The bigger names, legal knows legit contacts and can figure out if a demand is genuine and needs acted on, or something they can say, "send us a motion of discovery with a judge's signature if you want to press your luck" and ignore it.
Sometimes the demands are genuine. A user logging onto CAD programs on their work computer, and they have a personal subscription, for example.
missed_sla@reddit
Reminder that openjdk is a thing. Don't give oracle a dime.
Kuipyr@reddit
Adoptium, Amazon Corretto, Azul Zulu, even Microsoft maintains a Java distribution.
guevera@reddit
Last year I was getting these. Got sick of them. Eventually took the time to respond with an email explaining what I think of java, oracle, and Ellison. Iirc the final line was something about how if forced, I use the open jdk and to go try and shake down someone else. Haven't heard back
mrcranky@reddit
Block their domains.
moffetts9001@reddit
If you have even thought about using Oracle software, their position is that you have consumed a license. I’m joking, but also not really.
rcampbel3@reddit
To summarize:
Train your employees to NOT answer any questions that come from vendors to employees about software licensing and instead refer them to the software licensing team. Employees may think they're helping by responding with what they BELIEVE they know, but this information can open the door to significant corporate risk and SIGNIFICANT additional discovery efforts -- think of inviting a vampire into your house.
MedicatedDeveloper@reddit
Just blackhole the email domain. If it was a real legal issue it wouldn't be over email.
404socialskillz@reddit (OP)
Yeah, I found it a bit unusual that it’s coming from the sales team. I checked the Account Executive’s LinkedIn profile, and she refers to herself as “the team top performer,” with million-dollar deals closed.
The outreach leans more toward an easy cash-grab win than an actual compliance review or even a standard sales call.
MedicatedDeveloper@reddit
If it doesn't come to corporate by registered mail or some kind of signature service it doesn't mean shit.
broknbottle@reddit
Oracle is broke and trying to look in their and everyone else’s cushions for spare coins
UCFCO2001@reddit
My company has been getting these emails for a while and we're actively working to switch everything to openjdk. We do have some software from Oracle that comes with a restricted license to Oracle Java and it's pretty much required for that software (we break our support contract among other things). We've been told by our legal team that the new licensing model Oracle is using would require us to license their Java for all servers if we have it installed on even one. Best our legal team could figure would be it would code us several million dollars a year. Pain in the ass.
OneSeaworthiness7768@reddit
My org went through a very similar situation for the same reason a few years ago. They were so annoying to deal with. We also decided to move to openjdk after that.
UCFCO2001@reddit
The problem is, we use PeopleSoft which does come with a restricted Java license. But Oracle Java is pretty much required. It's delivered with it baked in and if you switch to openjdk, which is not a supported Java, then you are out of support. Not sure how legal is going to handle this one, guess time will tell.
homing-duck@reddit
Maybe they changed the licensing recently, last I looked (a year or two ago) as soon as you installed Java on one computer/server, all employees needed a license.
This included employees/contractors that don’t even use a computer.
Oracle doesn’t have customers, they have hostages…
UCFCO2001@reddit
I think the lawyers told us it was the number of servers, but generally I tune the lawyers out on meetings and ask for everything in writing. Even though they're in house lawyers (I work for a fairly large company), I don't trust anything a lawyer says and get it in writing. With that said, it's entirely possible you're right. Either way, it was going to be a lot of money, much more than we were willing to pay.
flecom@reddit
I reply with goatse
bgradid@reddit
The real power move
badaccount99@reddit
Oracle is a law firm. They just buy up companies then sue.
We got sued for Virtualbox. 4 of our employees out of 2k downloaded it. and we got sued because we're a company. *.oracle.com is blacklisted in DNS now.
We also did MySQL support before Oracle bought them and changed the price more than 10x. They send 15 guys in fancy suits on a plane to try to convince us to renew at the new price. Nope. They spent more money on those flights than we spent per year for MySQL support before them. Switched to SkySQL right away.
Main_Ambassador_4985@reddit
We have not used Java since v6 from SUN.
We switched to OpenJDK from Amazon if Java is needed as part of software.
All Oracle software is banned in my Org
DifficultElk5474@reddit
It’s just a business development engagement method. Ignore.
kona420@reddit
Transport rule in exchange for @oracle.com and body contains Java, quarantine or delete. Block the url for the consumer Java download.
Sobeman@reddit
send all oracle.com emails to the void
Different_Stand1792@reddit
Is there any way to verify if Java is indeed installed on our systems, even through third-party apps? Just want to be sure before we disregard these emails entirely.
StuffMyMomSez@reddit
Equally infuriating, there are some government websites that ONLY work with Oracle Java because it has the stupid ActiveX control for Java Web Forms (EIA/TIA reporting, specifically). We haven't been able to get these sites working with any flavor of OpenWebStart/IcedTea-Web, OpenJDK, Corretto, or anything else.
Bartghamilton@reddit
They are fishing. They’ve done this for years. I had a rule that only allowed a few number of people in IT to even receive emails from oracle.com just to limit this. They’ll email any and everyone looking for a way in to try and find something to bill you for. If they really wanted to do a legal audit they’ll send a letter.
404socialskillz@reddit (OP)
You’re probably right. Surely an audit request or compliance review wouldn’t be coming from an Account Executive or the Sales Team?
I checked the LinkedIn of Sophie White (the Account Executive who has been spamming our company), and she refers to herself as “The Team Top Performer.”
She wrote on her LinkedIn that she’s collected $1,342,742.50 here, $1,809,938.89 there, and so on. It sounds like she’s just sending aggressive emails to collect an easy bill to hit her quota.
whitephnx1@reddit
So they are doing this because of the way Oracle changed the license agreement. Our company talked with them to understand why they were sending the emails and they said if you use any application that uses Java and that company doesn't pay the licensing fee for each license they sell then it falls on the person using the app to pay the Java fee. This includes anything using Java runtimes. Apparently they have a list of apps that do pay and if your app you use isn't on it you have to buy licenses. But it gets worse they said you can't just buy the amount of licenses you actually use, you have to buy for the full amount of users you have in your environment. We told them yea, not today and we will remove all apps that use Java if that's the case and never heard back from them.
nitwitsavant@reddit
As soon as anyone responds they will start with the selling pressure. We think you are using our intellectual property incorrectly and would hate to take legal action. Let us audit it and then we can make a deal for willing compliance.
Oracle is a trash organization and their products no longer have the technology edge they used to.
angrydeuce@reddit
Anything I get like that unprompted goes right in the garbage lol. If they want an audit they better come with a court order otherwise they can get bent.
I wouldn't have even bothered checking its legitimacy, and just assume its bullshit. I have had literally zero issues with that policy since covid.
chesser45@reddit
Hah the key is to just use the last oracle commercially free version of Java. Those suckers can’t do anything then! (Major /s as that’s so out of date and we do that 🥲)
mabhatter@reddit
Everybody should be using OpenJDK now and avoiding Oracle.
Last I knew, Oracle's versions "expire" when a new version come out and only the latest one they offer on Java.com is "free". That's what they're looking for are people who downloaded Java from Oracle "for free" a while ago and are still on an older version that requires a license to keep.
A lot of people install Java 8 or Java 11 because that's what specific older Java software that used to be all over enterprise used to require before the OpenJDK days. But even if you installed it as a requirement of another application, it still phones home, and Oracle expects you to get a license.
So they have sales that look at IP addresses where Java installs phone home from and then spam trying to find someone to call them back and fall into the license trap. It ought to be illegal.
graywolfman@reddit
Yeah, they've made it up to our CIO, who actively laughs at the 'threats.' We have deployed an uninstall script via SCCM, as we verified we don't need Java in any way. We won't respond until our report shows zero installs, then it will be a "piss off" email.
usa_reddit@reddit
Oracle likes to audit people to (sic) "see if they can save you money." Hint: they never do. Ignore them, it is a scam to try to get their foot in the door and scare you or sell you something.
Oracle plays endless games like "Let's switch to a network vs. CPU license or vice versa to save you money."
Ignore.
jmhalder@reddit
If you don't have a contract, ignore them. They don't have any right to any of your internal information.
If you do have a contract, get legal involved.
DontTakePeopleSrsly@reddit
This bullshit is why we moved to RedHat’s OpenJDK.