JetBrains, Rapid7 clash over vulnerability disclosure policies

Silent patching debate

Silent patching concerns have been raised by many infosec professionals and vendors like Rapid7 throughout the years. For example, in 2022, Tenable CEO Amit Yoran accused Microsoft of silently patching on many occasions. Tenable researchers had recently reported Azure flaws and expressed frustration with the disclosure process, which Yoran said lacked transparency.

The ongoing feud between JetBrains and Rapid7 shows that researchers and vendors remain divided on how best to disclose vulnerabilities without giving attackers an advantage.

Bob Huber, chief security officer and head of research at Tenable, told TechTarget Editorial that he believes JetBrains was naive to think the flaws were unknown prior to disclosure, or that no actor had been exploiting them previously. He added that JetBrains software is a popular target for attackers.

For example, in December, CISA issued a joint advisory warning that a Russian nation-state threat actor, commonly known as APT29 or Cozy Bear, had exploited a different TeamCity vulnerability against several customers, including technology companies. Months before that, Microsoft confirmed that a North Korean nation-state actor exploited a TeamCity remote code execution vulnerability, tracked as CVE-2023-42793, that also allowed for authentication bypass.

Huber said one hazard of vendors' silent patching practices is security leaders being left in the dark regarding exposure to risk. That lack of threat intelligence can lead to breaches and data theft, he warned. Huber added that providing full transparency enables organizations to investigate and resolve issues before attackers have a chance to act.

"By sharing limited details on the vulnerabilities and dismissing coordination efforts with the researchers, JetBrains created more work for its customers, sending them off on a wild goose chase trying to understand where they are vulnerable," Huber said. "This isn't JetBrains' first vulnerability disclosure exercise. Security researchers and adversaries will reverse-engineer the vulnerability anyway, so their actions only delay the inevitable."

Dustin Childs, head of threat awareness for Trend Micro's Zero Day Initiative (ZDI) research team, said researchers and vendors have long disagreed over the best way to disclose vulnerabilities. He stressed that ZDI has had its fair share of disagreements with vendors over disclosures, including one with Microsoft last year. ZDI's default policy provides vendors with 120 days before public disclosure, but Childs said it does not have a strict policy on publishing details after patches become available.

Regarding the JetBrains and Rapid7 case, Childs highlighted Gallo's March 5 blog post in which he said JetBrains opted not to make a coordinated disclosure with Rapid7. Childs said that statement negates JetBrains' claims about it practicing ethical vulnerability disclosure.

"You can't practice coordinated disclosure only when it benefits you. There's a difference between coordinated disclosure and controlled disclosure, and it seems they were looking to control the narrative rather than coordinate with Rapid7," Childs told TechTarget Editorial. "They also seem to underestimate how quickly reverse-engineers can patch diff and create exploits. In my experience, the fastest I've seen was a scant four hours."

Responsible vs. coordinated disclosure

In addition to blaming Rapid7 for TeamCity attacks, Gallo also argued that JetBrains' disclosure policy is "commonplace" in the industry and referred to Microsoft's and Google's own policies. While it appeared that those remarks were meant to strengthen JetBrains' argument, Childs said referencing those companies shows JetBrains might be focused more on brand reputation than customer protection.

"Microsoft and Google have disclosure policies that include their best interests," he said. "They often want to protect the brand as much as the customer. Research organizations like Rapid7 have different priorities and thus different disclosure policies."

Childs attributed perpetual discussions on the subject to an industrywide shift away from the term responsible disclosure to coordinated disclosure. He acknowledged that some infosec professionals might have viewed Rapid7's release of full technical details as "irresponsible." However, Childs emphasized that threat actors don't wait for organizations' patch management issues to be resolved; timely patching remains an ongoing struggle for enterprises of all sizes.

He also said JetBrains' decision to patch silently and leave Rapid7 out of the disclosure process would be considered unethical by many infosec professionals.

"What we need to remember is that threat actors share information when it benefits their needs," Childs said. "Withholding information and pointing fingers doesn't make anyone safer. It's not the researchers or vendors that suffer the consequences -- it's the end users."

Jake Williams, a faculty member at IANS Research, also criticized JetBrains for blaming Rapid7 for the attacks against its customers. He interpreted the finger-pointing as JetBrains distracting from two real issues. First, like Huber, he emphasized that TeamCity is a known target of threat actors. Second, Williams said JetBrains might have been deflecting the fact that its servers contained trivially exploitable authentication bypass vulnerabilities.

"I have no doubt that TeamCity customers have been impacted negatively by Rapid7 following its published disclosure policy. But none of this happens if JetBrains' code wasn't vulnerable in the first place," Williams told TechTarget Editorial. "I'd like to see JetBrains redirect the energy they put into the blog post calling out Rapid7 toward engineering a vulnerability-free product."

Nate Warfield, director of threat research and intelligence at security platform provider Eclypsium, said the definitions of ethical and responsible disclosure can differ depending on the vendor and researcher. "Using ethical to describe a vulnerability disclosure process is merely an evolution of the much-despised Microsoft term responsible disclosure," Warfield told TechTarget Editorial.

He acknowledged that many vendors and professionals support releasing a full PoC exploit with the mindset that it will help organizations determine if they're affected by the vulnerability and develop defensive strategies. In addition, Warfield highlighted how PoCs benefit the greater security community by providing technical details that aid in threat intelligence gathering.

However, he said PoCs lack detailed security recommendations and can leave organizations in a race against time with the attackers. Similarly to Huber and Childs, Warfield emphasized that exploitation campaigns can start within hours, and depending on the time zone, organizations might not see advisories until after their devices have been affected.

Because of the short window, he believes it's unfair to blame organizations for a lack of timely patching.

"The problem is, rarely do we see research companies release said defensive guidance -- their blogs go deeply technical covering every aspect of what caused the vulnerability, the offending code, their research process and the exploit. However, something as simple as the log messages thrown by the system when it's exploited or a rough detection rule for any of the most common security tools is rarely, if ever, included," Warfield said.

Regarding the disclosure argument between JetBrains and Rapid7, Warfield believes the software developer appeared to take the reported vulnerabilities seriously and understood how the PoC fallout posed a potential risk to customers. In addition, he said the silent patching accusations against JetBrains could be fruitless.

"This generally refers to shipping an update without assigning a CVE, yet JetBrains had already assigned two CVEs to the report days after receiving it," Warfield said. "The inference here is they asked Rapid7 to withgo releasing the full write-up and exploit until their customers had a few days to patch. This is not an unreasonable request. JetBrains even went so far as to try and obfuscate the patch to make the inevitable patch diffing and reverse-engineering more complex, buying their customers additional hours or possibly days to remediate."

On the other hand, he said it's unclear whether that approach was communicated with Rapid7. Though the silent patching accusations are murky, Warfield said it's obvious that JetBrains did not follow a coordinated disclosure process, which prompted Rapid7 to disclose the full details.

Warfield emphasized how important it is for security researchers to work closely with the vendors whose products they break. Researchers save vendors time, he said, by disclosing exploits and advanced tactics attackers could leverage against customers. He also recognizes how essential it is to allow vendors time to protect their customers. Overall, both sides should strive to do better, Warfield stressed.

"Like it or not, the work done by the security research community is weaponized against organizations on a daily basis," he said. "In this specific instance, it was only a few weeks from report to patch availability, and with better communication or taking a real-world approach to the disclosure, it could have resulted in fewer organizations being impacted."

Arielle Waldman is a news writer for TechTarget Editorial covering enterprise security.