Adrian Johnson
TLDR: JetBrains fingers Rapid7 for customer ransomware attacks
Key Points:
- Rapid7 accused JetBrains of silent patching, leading to a public dispute
- JetBrains criticized Rapid7 for releasing detailed vulnerability information
JetBrains and Rapid7 are embroiled in a public dispute over ransomware attacks on TeamCity customers. Rapid7 accused JetBrains of silent patching while JetBrains defended its actions, stating that it disclosed only necessary vulnerability details. The conflict escalated when Rapid7 released exploit code, leading to ransomware attacks on TeamCity users shortly after patches were deployed.
In the world of infosec, public disputes like this are rare, as vendors typically collaborate and follow agreed-upon disclosure norms. JetBrains highlighted the disclosure norms of major industry players like Google and Microsoft, whose policies involve delaying detailed disclosures of vulnerabilities after the release of fixes to ensure user protection.
Despite Rapid7’s policy of prioritizing transparent and timely disclosures, the conflict with JetBrains arose due to differing definitions of silent patching. JetBrains’ decision not to coordinate with Rapid7 for disclosure led to a breakdown in communication. The ransomware attacks on TeamCity customers underscore the importance of well-timed disclosures to prevent costly security breaches.
Ultimately, the public dispute between JetBrains and Rapid7 serves as a cautionary tale for future discussions on vulnerability disclosure. With the average cost of remediating a ransomware attack being $1.5 million, vendors must carefully consider the timing of their disclosures to protect customers and prevent financial losses.
By highlighting the need for clear communication and compromise in the disclosure process, the conflict between JetBrains and Rapid7 sheds light on the complexities of cybersecurity and the importance of collaboration in safeguarding digital assets.
