Hacker News new | ask | show | jobs
by ziddoap 840 days ago
I'm not sure how to reword it in another way that would help you understand that Jetbrains did what is called "silent patching".

Maybe this paragraph from the article makes it clear?

>Rapid7 claims that after more than a week of radio silence from JetBrains on the coordinated disclosure matter, Rapid7 spotted fresh patches for CVE-2024-27198 and CVE-2024-27199 on Monday, without a published security advisory and without telling the researchers.

That makes this whole thing fall under Rapid7's silent patching policy.
1 comments
hiatus 840 days ago
Above I linked to a blog post Jetbrains put out on March 3rd, on Sunday. It details the vulnerability. March 3rd is before March 4th, so it seems they did not silently patch anything but published the patch and details concurrently.
link
ziddoap 840 days ago
This post clears it up a bit more.

https://blog.jetbrains.com/teamcity/2024/03/our-approach-add...

And this is the part Rapid7 presumably took issue with.

>At this point, we made a decision not to make a coordinated disclosure with Rapid7

As well as

>We published a blog post about the release. This blog post intentionally didn’t mention the security issues in detail

Which is presumably the blog post that Rapid7 saw, which triggered their silent patching policy.

Although, after reading all the blog posts (from Jetrbrains, and from Rapid7), I think this is a much more standard affair than The Reg tries to spin in its article.

link