War of words wages on between vendors divided
Further to that, it branded Rapid7's approach, which was to release full details of the two TeamCity vulnerabilities as well as enough information for low-skilled attackers to develop exploit code just five hours after patches went live,"entirely unethical and harmful" to its customers.Daniel Gallo, TeamCity solutions engineer at JetBrains.
Seeing this kind of public war of words is a rarity in the infosec space which, generally speaking, is comprised of members that form a collaborative community and abide by agreed-upon norms.Speaking of those norms, JetBrains made a point of highlighting the disclosure norms of other major vendors in the industry, such as Google and Microsoft.
Similarly, OWASP acknowledges the merits of both sides and suggests finding a compromise on the disclosure policies if the two parties differ substantially. It does, however, note that it would be"sensible" for details about serious vulnerabilities to have a publication delay to limit the potential for harm.
It also says that the company will publish vulnerability details within 24 hours if they suspect a vendor to silently patch vulnerabilities.Plus, by JetBrains' own admission, it decided four days after Rapid7's disclosure that it would not be following a coordinated disclosure with the researchers. This was due to their reluctance to allow a delay in publication after patches were released.