vulnerability bounty platform

The vulnerability bounty platform OpenBounty publicly released a vulnerability report, and researchers called it "irresponsible."

ChainCatcher news reports that the vulnerability bounty platform OpenBounty has faced criticism from peer security researchers after users discovered that their submitted vulnerability reports were published on a public blockchain. When OpenBounty receives a report, it automatically publishes the content of these reports as transactions on Shentu, a blockchain operated by OpenBounty's parent company, Shentu Foundation. The publicly disclosed details include the threat level of the vulnerability, the location of potentially vulnerable code, and comments from the report authors. OpenBounty lists over 30 different cryptocurrency projects offering vulnerability bounties, with a total deposit value exceeding $11 billion.Independent security researcher Pascal Caversaccio stated that publicly disclosing potential vulnerabilities is extremely irresponsible, as any hacker can sift through these reports and exploit them. Security researchers also complained that OpenBounty listed and accepted vulnerability bounty reports from other security companies and cryptocurrency projects that had not authorized them. Among the bounties listed on the OpenBounty website are those from top decentralized exchange Uniswap and lending protocol Compound.Michael Lewellen, Solutions Architect at the crypto security company OpenZeppelin, stated, "As a security advisor for Compound DAO at OpenZeppelin, I can authoritatively say that they have not been authorized to manage vulnerability bounties on behalf of the protocol."Dmytro Matviiv, CEO of the vulnerability bounty platform HackenProof, said, "Listing bounties without permission could have legal consequences. The vulnerability bounty market operates under a carefully considered legal process. Within this system, permission from the bounty issuer must be obtained before placing a bounty on a vulnerability bounty platform."A spokesperson for CertiK confirmed that the entity controlling the OpenBounty platform, Shentu, was once part of CertiK; however, Shentu has been operating independently since 2020. Nevertheless, four years after the split, the code on the OpenBounty platform still links to domain names that include CertiK in their names. However, CertiK's spokesperson stated that these domains are managed independently by Shentu.
ChainCatcher Building the Web3 world with innovators