we often hear that a certain software product has security holes as claimed by research firms/ hackers and security solutions vendors. i just came across one article as follows,
about sql server and oracle rdbms.
as far as i understand, in order to know in what sense a software is having a security issue/hole/vulnerability, one needs to have access to the source code of the product in question. but many a time it looks like that source code is not made available to these companies/hackers etc and still they report the problems. how does this work? thanks.