Security News > 2024 > March > Rapid7 throws JetBrains under the bus for 'uncoordinated vulnerability disclosure'

Security shop Rapid7 is criticizing JetBrains for flouting its policy against silent patching regarding fixes for two fresh vulnerabilities in the TeamCity CI/CD server.

According to the cybersecurity company, it replied by saying it wouldn't agree to swift disclosure, and pointed JetBrains to its policy against silently patching vulnerabilities, which stipulates that if companies violate that policy, Rapid7 will itself release the full details of the vulnerability, including enough information to allow people to develop exploits, within 24 hours.

Rapid7 claims that after more than a week of radio silence from JetBrains on the coordinated disclosure matter, Rapid7 spotted fresh patches for CVE-2024-27198 and CVE-2024-27199 on Monday, without a published security advisory and without telling the researchers.

Following what sounds like a sternly worded email from Rapid7, JetBrains released a blog detailing the vulnerabilities, but the security researchers say it continued to ignore inquiries about why it violated coordinated vulnerability disclosure norms.

While JetBrains prepares to tell its side of the story, members of the infosec community have shamed the TeamCity vendor over the supposed uncoordinated disclosure with Rapid7.

"The Rapid7 blog on JetBrains TeamCity is savage - especially the disclosure timeline," said security researcher Ron Bowes on Mastodon.

News URL

https://go.theregister.com/feed/www.theregister.com/2024/03/05/rapid7_jetbrains_vuln_disclosure_dispute/