JetBrains is continuing to criticize Rapid7’s policy for disclosing vulnerabilities its researchers uncover, saying the cybersecurity firm’s quick release of details of flaws in JetBrains’ TeamCity platform harmed some customers and runs counter to other companies’ processes.

Rapid7 disclosed details of two vulnerabilities in JetBrains’ developer platform hours after the software company alerted users of fixes. In a blog post this week, Daniel Gallo, solution engineer at JetBrains, said Rapid7 releasing the details so soon after the fixes were released gave many organizations too little time to apply the patches before cybercriminals could begin exploiting them.

“Releasing the full technical details of a vulnerability and the exploit steps simultaneously with its fix is entirely unethical and harmful to our customers, provided that enough details are made publicly available to allow customers to fully understand the risks and protect themselves against the vulnerability,” Gallo wrote.

“Releasing a full disclosure and providing the exploit steps enables potential attackers to immediately exploit a vulnerability before any customers have had the opportunity to patch their environments.”

Pointing Fingers

Gallo’s post comes a week after the two companies accused each other of fumbling the response to two vulnerabilities Rapid7 researchers discovered last month in JetBrains’ TeamCity CI/CD platform. The bugs – CVE-2024-27198 and CVE-2024-27199 – could enable bad actors to to take control of compromised instances, gather information, and modify a system.

There were reports from cybersecurity experts that threat groups descended on the vulnerabilities in the hours and days after JetBrains released the fixes for its continuous-integration, continuous development platform to its users. Two days after the releases, TeamIX, a search engine that scans for and collects data about vulnerabilities and makes it public – found there were 1,711 vulnerable TeamCity instances and that 1,442 of them “show clear signs of rogue user creation.”

There also were reports that ransomware groups were exploiting the flaws to gain initial access into systems.

Disclosure Policies at Odds

In dueling blog posts, JetBrains and Rapid7 blamed the other for the deluge of attacks, pointing their criticism at the other’s disclosure policy. Each outlined their timelines that started on February 15, when Stephen Fewer, principal security researcher at Rapid7, emailed JetBrains about the vulnerabilities. Communication continued but the two couldn’t reconcile the differences in their disclosure policies, so there was no coordinated release of information between the two.

Rapid7’s policy calls for the company issuing details of flaws 24 hours after learning that a fix for them has been released. However, JetBrains’ policy involves alerting customers via email about fixes and waiting a few days before announcing the fixes, and even more time to publish technical details until after most customers have applied the fixes.

Fewer in a blog post earlier this month criticized JetBrains’ for “silently patching” the vulnerabilities.

However, JetBrains’ Gallo said Rapid7 researchers insisted on sticking with their policy, so “JetBrains made the decision not to make a coordinated disclosure with Rapid7.”

The hours-long window between the patch release and Rapid7 enable many JetBrains users to apply the fix or upgrade their software before the technical details were made public, but others were not and the company began to hear from users whose servers were being compromised.

“This was due to the immediate availability of publicly documented exploit examples published by Rapid7, which meant attackers of any skill level had all the resources they needed to quickly exploit the vulnerabilities in the wild,” Gallo wrote.

Rapid7 has stuck by its disclosure policy. That said, Gallo pointed to policies of a few other companies that are more in line with JetBrains’, including the Project Zero team at Google and its practice of giving vendors 90 days after being notified of a vulnerability to make a patch available to users and then another 30 days before it discloses details of the flaw.

He also pointed to policies at Microsoft and Open Worldwide Application Security Project (OWASP) that fall more in line with what JetBrains does, including promoting the importance of coordinated disclosures.