Rapid7's article on the topic[1] mostly focuses on the need for providing enough information to IT admins so they can understand the severity of the problem. There are other unsaid reasons for this (credit/payment I'd imagine is part of it), but on face value doesn't this make sense? When Metabase[2] says "Upgrade your instance NOW" and they have a vuln that "allows unprivileged access to any Metabase instance" I upgraded immediately. When JetBrains[3] says "4 security problems have been fixed. We highly recommend installing this update as it includes a fix for a critical security vulnerability" then many people are not going to upgrade as quickly. Jetbrains eventually gave more information[4] but would they have done this if Rapid7 wasn't threatening to disclose it themselves?
This is a decent explanation for issuing a CVE and a clear disclosure immediately after a patch is available, but the claim in the article is that best practice is to reveal immediately regardless of whether there's a patch. That makes no sense to me.
They do not -- and the industry as a whole does not -- claim that that the best practice is to immediately reveal a vulnerability regardless of a patch.
Thanks. That makes a lot more sense. The Register must have misinterpreted the controversy when they wrote this:
> Rapid7 says it reported the two TeamCity vulnerabilities in mid-February, claiming JetBrains soon after suggested releasing patches for the flaws before publicly disclosing them.
> Such a move is typically seen as a no-no by the infosec community, which favors transparency, but there's apparently a time and a place for these things.
Yes, this article is unfortunately disappointing and seems to have a bit of spin put on it, considering this is all pretty standard coordinated disclosure stuff.