March 12, 2024 at 12:34PM
JetBrains and Rapid7 are embroiled in a public dispute over a software vulnerability disclosure. Following Rapid7’s detailed disclosure of vulnerabilities in TeamCity, JetBrains accused them of unethical actions which led to ransomware attacks. The spat highlights the need for clear disclosure norms in the infosec space to protect customers and minimize the risk of costly attacks.
The main points from the meeting notes are as follows:
1. Rapid7 and JetBrains are involved in a dispute over the disclosure of vulnerabilities in TeamCity.
2. Rapid7 released full details of the vulnerabilities immediately after patches went live, while JetBrains believes in providing only necessary details at the time of patch release and complete details later.
3. There is a disagreement in the information security community regarding the timing of vulnerability disclosure, with different vendors and industry bodies having varying policies.
4. Rapid7’s disclosure policy prioritizes timely disclosure, requiring vendors to release a fix within 60 days of disclosure, with potential for a 30-day extension in good faith.
5. There are concerns about the potential impact of immediate disclosure, as evidenced by ransomware attacks against TeamCity customers following Rapid7’s detailed disclosure.
6. Both vendors have presented their perspectives, and reaching a resolution may be challenging. The cost and consequences of attacks due to vulnerability disclosures should be carefully considered.
Please let me know if you need further details or clarifications.