The linked timeline from JetBrain's side doesn't exactly shower them with glory - taking more than a week to respond to with CVE numbers is not ideal. But the linked toot states:
> it's super inappropriate to lie to researchers who disclosed this to you responsibly about what your plans are.
That would be super inappropriate, yes! But Rapid7 hasn't alleged that publicly that I've seen. All I have seen so far is researchers alluding to bad behaviour and deception, and no concrete or falsifiable accusations.
Cutting Rapid7 out of the disclosure is definitely poor form, but that's a far cry from lies and deception. As a not-totally-disinterested outside observer (using JetBrains' IDE products but not TeamCity) I definitely want to know if they are behaving badly so I can factor that into my future plans. But without a concrete falsifiable accusation it reads to me like butthurt on the part of the researchers involved.
> it's super inappropriate to lie to researchers who disclosed this to you responsibly about what your plans are.
That would be super inappropriate, yes! But Rapid7 hasn't alleged that publicly that I've seen. All I have seen so far is researchers alluding to bad behaviour and deception, and no concrete or falsifiable accusations.
Cutting Rapid7 out of the disclosure is definitely poor form, but that's a far cry from lies and deception. As a not-totally-disinterested outside observer (using JetBrains' IDE products but not TeamCity) I definitely want to know if they are behaving badly so I can factor that into my future plans. But without a concrete falsifiable accusation it reads to me like butthurt on the part of the researchers involved.