Czech software giant JetBrains harshly criticized security company Rapid7 this week following a dispute over two recently-discovered vulnerabilities.
In a blog post published Monday, JetBrains attributed the compromise of several customers' servers to Rapid7's decision to release detailed information on the vulnerabilities.
Two of the victims described in the blog had files encrypted by ransomware, JetBrains said.
Concern about the JetBrains vulnerabilities grew last week when the top cybersecurity agency in the U.S. warned that it was being exploited and gave federal civilian agencies until March 28 to patch it.
A JetBrains spokesperson said they could not confirm that the victims named in the blog were attacked after Rapid7 released the proof-of-concept code for the vulnerabilities, but said the victims contacted them after the details were released.
JetBrains said the attackers did not have a pattern of attack and simply targeted customers that had servers exposed over the internet.
When contacted by Recorded Future News, Rapid7 would only say it strictly abides by its vulnerability disclosure policies and would not comment further.
The multibillion-dollar firm employs about 2,200 people globally and has been a publicly-traded company for nearly a decade.
The dispute between the two companies began when Rapid7 researcher Stephen Fewer discovered and reported CVE-2024-27198 and CVE-2024-27199 to JetBrains in February.
JetBrains wanted to release patches privately before public disclosure, which Rapid7 objected to.
JetBrains effectively stopped answering Rapid7's messages before releasing a fixed version of the software on March 3 without notifying Rapid7 that fixes had been implemented and were generally available.
In line with their policy against the practice of silent patching - where companies quietly patch reported vulnerabilities without notifying customers - Rapid7 released the technical details of the vulnerabilities shortly after JetBrains made its fixes available to customers.
Rapid7 and many other cybersecurity experts say cybercriminals and other attackers can reverse-engineer patches to find ways around them.
Experts also say that patches are often poorly done and need to be checked, typically by the researchers who discovered the bugs in the first place.
Recorded Future News spoke with several cybersecurity incident responders and researchers who disagreed with JetBrains assessment of the situation.
Cybersecurity expert John Bambenek said it is naïve to think that simply because a security company hasn't released details of a vulnerability, that the vulnerability is not already known to criminal or nation-state actors.
Bob Huber, chief security officer and head of research at Tenable, added that JetBrains created more work for its customers by sharing limited details on the vulnerabilities and dismissing coordination efforts with the researchers.
Full transparency, he said, enables cybersecurity defenders to quickly investigate and resolve the issue before cyberattackers occur.
Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.
He previously covered cybersecurity at ZDNet and TechRepublic.
This Cyber News was published on therecord.media. Publication date: Tue, 12 Mar 2024 21:25:18 +0000