[lolinder]

This is a decent explanation for issuing a CVE and a clear disclosure immediately after a patch is available, but the claim in the article is that best practice is to reveal immediately regardless of whether there's a patch. That makes no sense to me.

[ziddoap]

You can read their actual disclosure policy here: https://www.rapid7.com/security/disclosure/

They do not -- and the industry as a whole does not -- claim that that the best practice is to immediately reveal a vulnerability regardless of a patch.

[lolinder]

Thanks. That makes a lot more sense. The Register must have misinterpreted the controversy when they wrote this:

> Rapid7 says it reported the two TeamCity vulnerabilities in mid-February, claiming JetBrains soon after suggested releasing patches for the flaws before publicly disclosing them.

> Such a move is typically seen as a no-no by the infosec community, which favors transparency, but there's apparently a time and a place for these things.

[ziddoap]

Yes, this article is unfortunately disappointing and seems to have a bit of spin put on it, considering this is all pretty standard coordinated disclosure stuff.