so rapid7 is mad that jetbrains fixed the vulns they reported? isn't that the point of reporting vulnerabilities? why is rapid7 threatening to release the details in 24 hours?
> Rapid7 says it reported the two TeamCity vulnerabilities in mid-February, claiming JetBrains soon after suggested releasing patches for the flaws before publicly disclosing them.
So JetBrains wanted to have a patch ready before disclosing the vulnerability publicly. It seems they were working on it and were working with Rapid7. I am struggling to think how it would be better for users if an unpatched vulnerability is released before a patch is available. What's the thinking here, that users will take additional precautions to secure the application while they wait for a patch?
> Rapid7 spotted fresh patches for CVE-2024-27198 and CVE-2024-27199 on Monday, without a published security advisory and without telling the researchers.
Rapid7 reported the vulnerabilities mid-Feb. Jetbrains turned around with patches about 2 weeks later, and published them yesterday. The CVE was literally created yesterday. Isn't it a bit premature to claim "silence"?
They released patches without saying they were related to a vulnerability and without notifying Rapid7. That is the textbook definition of what a silent patch is.
No. They are mad that they vulnerabilities were _silently_ fixed.