> When Rapid7 contacted JetBrains about their uncoordinated vulnerability disclosure, JetBrains published an advisory on the vulnerabilities without responding to Rapid7 on the disclosure timeline. JetBrains later responded to indicate that CVEs had been published.
Is this a failure on JetBrain's part to acknowledge the issue and properly give credit for discovering the CVE?
> Note: The JetBrains release blog for 2023.11.4 appears to display different publication dates based on the time zone of the reader. Some readers see that it was released March 3, while others see March 4. We've modified our language above to note that Rapid7 saw the release blog on March 4, regardless of what time it was released.
If the contention is when to release details, then should agree on UTC for all parties, with appropriate time precision. Anything else is adding obscurity to an already difficult-to-follow plot.
Readit News
Is this a failure on JetBrain's part to acknowledge the issue and properly give credit for discovering the CVE?
(Disclosure: I know some of the folk on the Rapid7 side, so I'm perhaps biased towards their interpretation of events)
Deleted Comment
If the contention is when to release details, then should agree on UTC for all parties, with appropriate time precision. Anything else is adding obscurity to an already difficult-to-follow plot.
Deleted Comment