> When Rapid7 contacted JetBrains about their uncoordinated vulnerability disclosure, JetBrains published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline. JetBrains later responded to indicate that CVEs had been published.
Is this a failure on JetBrain's part to acknowledge the issue and properly give credit for discovering the CVE?
The linked timeline from JetBrain's side doesn't exactly shower them with glory - taking more than a week to respond to with CVE numbers is not ideal. But the linked toot states:
> it's super inappropriate to lie to researchers who disclosed this to you responsibly about what your plans are.
That would be super inappropriate, yes! But Rapid7 hasn't alleged that publicly that I've seen. All I have seen so far is researchers alluding to bad behaviour and deception, and no concrete or falsifiable accusations.
Cutting Rapid7 out of the disclosure is definitely poor form, but that's a far cry from lies and deception. As a not-totally-disinterested outside observer (using JetBrains' IDE products but not TeamCity) I definitely want to know if they are behaving badly so I can factor that into my future plans. But without a concrete falsifiable accusation it reads to me like butthurt on the part of the researchers involved.
> Note: The JetBrains release blog for 2023.11.4 appears to display different publication dates based on the time zone of the reader. Some readers see that it was released March 3, while others see March 4. We've modified our language above to note that Rapid7 saw the release blog on March 4, regardless of what time it was released.
If the contention is when to release details, then should agree on UTC for all parties, with appropriate time precision. Anything else is adding obscurity to an already difficult-to-follow plot.
Is this a failure on JetBrain's part to acknowledge the issue and properly give credit for discovering the CVE?