Last week, we wrote about how security outfit Rapid7 threw JetBrains, the company behind the popular CI/CD platform TeamCity, under the bus over allegations of silent patching.
The software developer published its side of the story at the time, but felt the need to go a step further with another blog post this week, hammering home its argument that it did act responsibly and within the norms of vulnerability disclosure.
Following Rapid7's detailed disclosure, within hours on-premises TeamCity users were reporting being hit by ransomware attacks.
We asked Rapid7 if it had a response but it didn't immediately reply.
Speaking of those norms, JetBrains made a point of highlighting the disclosure norms of other major vendors in the industry, such as Google and Microsoft.
Google's Project Zero team follows a policy that affords vendors 90 days to release fixes for vulnerabilities and a further 30 days after they're released before detailed information is released about them.
OWASP acknowledges the merits of both sides and suggests finding a compromise on the disclosure policies if the two parties differ substantially.
National and international cybersecurity authorities generally agree a delay is necessary between reporting and publicly disclosing details of vulnerabilities, although these delays can vary between countries.
Spain, for example, will publish details of a security issue if the vendor fails to patch it within 60 days.
Luxembourg's default deadline is shorter at 30 days, albeit with flexibility built into it for more complex situations, while the US's Cybersecurity and Infrastructure Security Agency can disclose a vulnerability 45 days after the first attempt to contact the relevant vendor.
The EU's cybersecurity agency, ENISA, sets out in its guidelines for developing a disclosure policy that a patch should always be developed within 90 days at the latest.
Rapid7's disclosure policy prioritizes timely disclosures.
The policy stipulates that vendors have 60 days from the point of disclosure to release a fix before public disclosure, with the opportunity to extend that by 30 additional days if a fix can't be developed in that time and, crucially, the vendor works in good faith.
It also says that the company will publish vulnerability details within 24 hours if they suspect a vendor to silently patch vulnerabilities.
Plus, by JetBrains' own admission, it decided four days after Rapid7's disclosure that it would not be following a coordinated disclosure with the researchers.
JetBrains said this was a decision taken to protect its own customers from exploits, but Rapid7 likely saw it as a bad-faith working relationship.
The to and fro should inform future discussions around public disclosures, and the ransomware attacks against TeamCity customers shouldn't be taken lightly.
The average cost of remediating an attack is roughly $1.5 million, meaning vendors must seriously consider the timing of their public disclosures.
Even if Rapid7 thought JetBrains was silently patching vulnerabilities, an assertion JetBrains denies, waiting a week before outing the developer may have helped customers apply patches to prevent these costly attacks.
There's also no guarantee that waiting that time would have sprung admins into action to patch the flaws, so there are arguments to be made for both sides.
This Cyber News was published on go.theregister.com. Publication date: Tue, 12 Mar 2024 17:13:06 +0000