@simontsui @campuscodi Is it me or Rapid7's policy is painfully vague about exploit publication?
I mean point 4. can be easily interpreted so that if there is an official patch with proper CVE, security impact description, etc. R7 will still publish the exploit immediately, while I think in this good-faith case it'd make much more sense to stick to the 60-day deadline from point 3.
https://www.rapid7.com/security/disclosure/Anyhow this looks like a major communication fuckup.