Hacker News new | ask | show | jobs
by hiatus 840 days ago
Where does the article say that? I see:

> Rapid7 says it reported the two TeamCity vulnerabilities in mid-February, claiming JetBrains soon after suggested releasing patches for the flaws before publicly disclosing them.

So JetBrains wanted to have a patch ready before disclosing the vulnerability publicly. It seems they were working on it and were working with Rapid7. I am struggling to think how it would be better for users if an unpatched vulnerability is released before a patch is available. What's the thinking here, that users will take additional precautions to secure the application while they wait for a patch?
2 comments
ziddoap 840 days ago
>Where does the article say that?

The first sentence.

>Security shop Rapid7 is criticizing JetBrains for flouting its policy against silent patching

Why Rapid7 doesn't like silent patching can be found here: https://www.rapid7.com/blog/post/2022/06/06/the-hidden-harm-...

link
IshKebab 840 days ago
It says it right here:

> Rapid7 spotted fresh patches for CVE-2024-27198 and CVE-2024-27199 on Monday, without a published security advisory and without telling the researchers.

link
hiatus 840 days ago
Rapid7 reported the vulnerabilities mid-Feb. Jetbrains turned around with patches about 2 weeks later, and published them yesterday. The CVE was literally created yesterday. Isn't it a bit premature to claim "silence"?
link
ziddoap 840 days ago
>Isn't it a bit premature to claim "silence"

What do you mean?

They released patches without saying they were related to a vulnerability and without notifying Rapid7. That is the textbook definition of what a silent patch is.

link
hiatus 840 days ago
https://twitter.com/teamcity/status/1764669887014736007 they tweeted yesterday that they patched vulnerabilities. They published a blog post about it on the 3rd. https://blog.jetbrains.com/teamcity/2024/03/additional-criti...

I'm genuinely struggling to understand what went wrong here.

link
ziddoap 840 days ago
I'm not sure how to reword it in another way that would help you understand that Jetbrains did what is called "silent patching".

Maybe this paragraph from the article makes it clear?

>Rapid7 claims that after more than a week of radio silence from JetBrains on the coordinated disclosure matter, Rapid7 spotted fresh patches for CVE-2024-27198 and CVE-2024-27199 on Monday, without a published security advisory and without telling the researchers.

That makes this whole thing fall under Rapid7's silent patching policy.

link
hiatus 840 days ago
Above I linked to a blog post Jetbrains put out on March 3rd, on Sunday. It details the vulnerability. March 3rd is before March 4th, so it seems they did not silently patch anything but published the patch and details concurrently.
link