|
|
|
|
|
|
by hiatus
840 days ago
|
|
|
Above I linked to a blog post Jetbrains put out on March 3rd, on Sunday. It details the vulnerability. March 3rd is before March 4th, so it seems they did not silently patch anything but published the patch and details concurrently. |
|
|
https://blog.jetbrains.com/teamcity/2024/03/our-approach-add...
And this is the part Rapid7 presumably took issue with.
>At this point, we made a decision not to make a coordinated disclosure with Rapid7
As well as
>We published a blog post about the release. This blog post intentionally didn’t mention the security issues in detail
Which is presumably the blog post that Rapid7 saw, which triggered their silent patching policy.
Although, after reading all the blog posts (from Jetrbrains, and from Rapid7), I think this is a much more standard affair than The Reg tries to spin in its article.